CRM

In SuiteCRM version 7.14.1 a medium severity vulnerability CVE‑2025‑41384 was detected. This vulnerability allows an attacker to execute JavaScript code by modifying the HTTP Referer header to include an arbitrary domain with malicious JavaScript at the end; the server will attempt to block the arbitrary domain but still allow the JavaScript code to execute. To address this issue, users should upgrade SuiteCRM to version 7.14.7 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-41384.

In Liferay Portal versions 7.4.0 through 7.4.3.132, and Liferay DXP versions 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19, and 7.4 GA through update 92 a medium severity vulnerability CVE-2025-43776 was detected. This vulnerability allows a remote authenticated attacker to inject JavaScript through a Custom Object field label. To address this issue, users should upgrade Liferay Portal to the latest patched version on the master branch, or Liferay DXP to versions 2024.Q1.20, 2025.Q1.17, or 2025.Q2.10. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43776.

In SuiteCRM version 7.14.6 a low severity vulnerability CVE-2025-54787 was detected. This vulnerability allows unauthenticated attackers to download files from the upload directory if the file is named by a valid ID, potentially exposing sensitive internal files. To address this issue, users should upgrade SuiteCRM to versions 7.14.7 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-54787.

In SuiteCRM versions 7.14.0 through 7.14.6 a medium severity vulnerability CVE-2025-54784 was detected. This vulnerability allows attackers to execute arbitrary actions as a logged-in user by sending a crafted email that triggers a Cross-Site Scripting (XSS) payload when viewed in the email viewer, potentially leading to data theft or full instance takeover. To address this issue, users should upgrade SuiteCRM to versions 7.14.7 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-54784.

In SuiteCRM version 7.12.7 a high severity vulnerability CVE-2022-45186 was detected. This vulnerability allows authenticated users to recover arbitrary fields from the database. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2022-45186.

In MonicaHQ version 4.1.2 a medium severity vulnerability CVE-2024-54999 was detected. This vulnerability allows attackers to exploit a Client-Side Injection via the `last_name` parameter in the General Information module. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-54999.

In MonicaHQ version 4.1.1 a medium severity vulnerability CVE-2024-54997 was detected. This vulnerability allows attackers to exploit an authenticated Client-Side Injection via the `entry` text field at `/journal/entries/ID/edit`. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-54997.

In SuiteCRM versions 7.14.4 and 8.6.1 a high severity vulnerability CVE-2024-45392 was detected. This vulnerability allows attackers to delete records via the API due to insufficient access control checks. To fix this issue users must upgrade to versions 7.14.5 and 8.6.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-45392.

In SuiteCRM versions 7.14.4 and 8.6.1 a medium severity vulnerability CVE-2024-36414 was detected. This vulnerability allows attackers to perform a server-side request forgery attack. To address this issue, users must install the fix in the versions 7.14.4 and 8.6.1. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-36414/.