ach-ing/cves

Releases0

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2021-41597 ↗	Jan 12, 2022Wednesday, 12 January 2022, 20:15	8.8 HIGH	6.8 MEDIUM
SuiteCRM through 7.11.21 is vulnerable to CSRF, with resultant remote code execution, via the UpgradeWizard functionality, if a PHP file is included in a ZIP archive.
CVE-2021-45903 ↗	Dec 28, 2021Tuesday, 28 December 2021, 14:15	6.1 MEDIUM	4.3 MEDIUM
A persistent cross-site scripting (XSS) issue in the web interface of SuiteCRM before 7.10.35, and 7.11.x and 7.12.x before 7.12.2, allows a remote attacker to introduce arbitrary JavaScript via attachments upload, a different vulnerability than CVE-2021-39267 and CVE-2021-39268.
CVE-2021-41595 ↗	Oct 4, 2021Monday, 4 October 2021, 17:15	5.3 MEDIUM	5 MEDIUM
SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the file_name parameter of the Step3 import functionality.
CVE-2021-41596 ↗	Oct 4, 2021Monday, 4 October 2021, 17:15	5.3 MEDIUM	5 MEDIUM
SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the importFile parameter of the RefreshMapping import functionality.
CVE-2021-41869 ↗	Oct 4, 2021Monday, 4 October 2021, 07:15	8.8 HIGH	6.5 MEDIUM
SuiteCRM 7.10.x before 7.10.33 and 7.11.x before 7.11.22 is vulnerable to privilege escalation.