An SQL Injection vulnerability exists in Dolibarr ERP/CRM 13.0.2 (fixed version is 14.0.0) via a POST request to the country_id parameter in an UPDATE statement.

A Cross-Site Scripting (XSS) attack can cause arbitrary code (javascript) to run in a user’s browser while the browser is connected to a trusted website. As the vehicle for the attack, the application targets the users and not the application itself. Additionally, the XSS payload is executed when the user attempts to access any page of the CRM.

SuiteCRM through 7.12.1 and 8.x through 8.0.1 allows Remote Code Execution. Authenticated users with access to the Scheduled Reports module can achieve this by leveraging PHP deserialization in the email_recipients property. By using a crafted request, they can create a malicious report, containing a PHP-deserialization payload in the email_recipients field. Once someone accesses this report, the backend will deserialize the content of the email_recipients field and the payload gets executed. Project dependencies include a number of interesting PHP deserialization gadgets (e.g., Monolog/RCE1 from phpggc) that can be used for Code Execution.

Missing Authorization in GitHub repository salesagility/suitecrm prior to 7.12.5.

Missing Authorization in GitHub repository salesagility/suitecrm prior to 7.12.5.

SQL Injection in GitHub repository salesagility/suitecrm prior to 7.12.5.

Code Injection in GitHub repository dolibarr/dolibarr prior to 15.0.1.

Business Logic Errors in GitHub repository dolibarr/dolibarr prior to 16.0.

Improper Access Control (IDOR) in GitHub repository dolibarr/dolibarr prior to 16.0.

Improper Validation of Specified Quantity in Input in Packagist dolibarr/dolibarr prior to 16.0.