D3Dn0V4

**Name of the Vulnerable Software and Affected Versions** SuiteCRM versions prior to 7.15.1 SuiteCRM versions prior to 8.9.3 **Description** SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, it contains an authenticated arbitrary file upload issue in the Configurator module. An authenticated administrator can bypass file type restrictions when uploading PDF font files, allowing arbitrary files with attacker-controlled filenames to be written to the server. While the upload directory is not directly web-accessible by default, this breaks security boundaries and may enable further attacks when combined with other issues or in certain deployment configurations. **Recommendations** SuiteCRM versions prior to 7.15.1 should be updated to version 7.15.1 or later. SuiteCRM versions prior to 8.9.3 should be updated to version 8.9.3 or later.

**Name of the Vulnerable Software and Affected Versions** SuiteCRM versions prior to 7.15.1 SuiteCRM versions prior to 8.9.3 **Description** SuiteCRM contains an unauthenticated open redirect in the WebToLead capture functionality. A user-supplied POST parameter is used as a redirect destination without validation, allowing attackers to redirect victims to arbitrary external websites. This allows attackers to abuse the trusted SuiteCRM domain for phishing and social engineering attacks by redirecting users to malicious external websites. The vulnerable parameter is a POST parameter used for redirection. **Recommendations** Update to SuiteCRM version 7.15.1 or later. Update to SuiteCRM version 8.9.3 or later.