Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Suitecrm
(Salesagility)| Repositories | https://github.com/salesagility/SuiteCRM |
| #Vulnerabilities | 92 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2024-06-10 | CVE-2024-36406 | SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, unchecked input allows for open re-direct. Versions 7.14.4 and 8.6.1 contain a fix for this issue. | Suitecrm | N/A | ||
| 2025-08-07 | CVE-2025-54786 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, the broken authentication in the legacy iCal service allows unauthenticated access to meeting data. An unauthenticated actor can view any user's meeting (calendar event) data given their username, related functionality allows user enumeration. This is fixed in versions 7.14.7 and 8.8.1. | Suitecrm | N/A | ||
| 2025-08-07 | CVE-2025-54785 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, user-supplied input is not validated/sanitized before it is passed to the unserialize function, which could lead to penetration, privilege escalation, sensitive data exposure, Denial of Service, cryptomining and ransomware. This issue is fixed in version 7.14.7 and 8.8.1. | Suitecrm | N/A | ||
| 2025-08-07 | CVE-2025-54788 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions and below, the InboundEmail module allows the arbitrary execution of queries in the backend database, leading to SQL injection. This can have wide-reaching implications on confidentiality, integrity, and availability, as database data can be retrieved, modified, or removed entirely. This issue is fixed in version 7.14.7. | Suitecrm | N/A | ||
| 2025-08-07 | CVE-2025-54783 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.6 and below have a Reflected Cross-Site Scripting (XSS) vulnerability. This vulnerability allows an attacker to execute JavaScript code by modifying the HTTP Referer header to include some arbitrary domain with malicious JavaScript code at the end. The server will attempt to block the arbitrary domain but allow the JavaScript code to execute. This is fixed in version 7.14.7. | Suitecrm | 6.1 | ||
| 2025-08-07 | CVE-2025-54784 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. There is a Cross Site Scripting (XSS) vulnerability in the email viewer in versions 7.14.0 through 7.14.6. An external attacker could send a prepared message to the inbox of the SuiteCRM-instance. By simply viewing emails as the logged-in user, the payload can be triggered. With that, an attacker is able to run arbitrary actions as the logged-in user - like extracting data, or if it is... | Suitecrm | 6.1 | ||
| 2025-08-07 | CVE-2025-54787 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. There is a vulnerability in SuiteCRM version 7.14.6 which allows unauthenticated downloads of any file from the upload-directory, as long as it is named by an ID (e.g. attachments). An unauthenticated attacker could download internal files when he discovers a valid file-ID. Valid IDs could be brute-forced, but this is quite time-consuming as the file-IDs are usually UUIDs. This issue is... | Suitecrm | N/A | ||
| 2024-02-20 | CVE-2024-1644 | Suite CRM version 7.14.2 allows including local php files. This is possible because the application is vulnerable to LFI. | Suitecrm | 8.8 | ||
| 2020-02-13 | CVE-2020-8800 | SuiteCRM through 7.11.11 allows EmailsControllerActionGetFromFields PHP Object Injection. | Suitecrm | 8.8 | ||
| 2020-02-13 | CVE-2020-8801 | SuiteCRM through 7.11.11 allows PHAR Deserialization. | Suitecrm | 7.2 |