Guilhermemury

**Name of the Vulnerable Software and Affected Versions** SuiteCRM versions prior to 7.15.1 SuiteCRM versions prior to 8.9.3 **Description** SuiteCRM is an open-source Customer Relationship Management (CRM) software application. A SQL Injection issue exists in the authentication mechanisms when directory support is enabled. The application does not properly sanitize the `username` supplied by the user before using it in a database query. An attacker with valid, low-privilege directory credentials can exploit this to execute arbitrary SQL commands, potentially leading to complete privilege escalation, such as logging in as the CRM Administrator. **Recommendations** SuiteCRM versions prior to 7.15.1 should be updated to version 7.15.1 or later. SuiteCRM versions prior to 8.9.3 should be updated to version 8.9.3 or later.

**Name of the Vulnerable Software and Affected Versions** SuiteCRM versions prior to 7.15.1 SuiteCRM versions prior to 8.9.3 **Description** SuiteCRM is an open-source Customer Relationship Management (CRM) software application. A flaw exists in the authentication process where the application does not properly validate user-provided input before including it in the LDAP search filter. An attacker can inject LDAP control characters to manipulate the query logic, potentially leading to authentication bypass or information disclosure. The `LDAP` search filter is vulnerable to manipulation through injected control characters. The vulnerable component is the authentication flow. **Recommendations** Versions prior to 7.15.1 should be updated to version 7.15.1 or later. Versions prior to 8.9.3 should be updated to version 8.9.3 or later.

**Name of the Vulnerable Software and Affected Versions** ChurchCRM versions prior to 6.5.3 **Description** ChurchCRM, an open-source church management system, contains a SQL injection issue. The vulnerability resides in the `src/CartToFamily.php` file, specifically in the handling of the `PersonAddress` POST parameter. The `PersonAddress` parameter lacks proper type casting, unlike other parameters in the same file, allowing for the injection of arbitrary SQL commands. **Recommendations** Update to version 6.5.3 or later.