Manuelz120

**Name of the Vulnerable Software and Affected Versions** SuiteCRM versions prior to 7.12.2 and 8.0.2 **Description** The issue allows remote code execution. Authenticated users with access to the Scheduled Reports module can exploit this by leveraging PHP deserialization in the `email recipients` property. They can create a malicious report containing a PHP-deserialization payload in the `email recipients` field. Once someone accesses this report, the backend will deserialize the content of the `email recipients` field and the payload gets executed. Project dependencies include PHP deserialization gadgets that can be used for code execution. **Recommendations** For SuiteCRM versions prior to 7.12.2, update to version 7.12.2 or later to resolve the issue. For SuiteCRM version 8.0.1, update to version 8.0.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the Scheduled Reports module until a patch is available. Avoid using the `email recipients` field in the Scheduled Reports module until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** SuiteCRM versions prior to 7.12.3 SuiteCRM versions 8.x prior to 8.0.2 **Description** The issue allows remote code execution. **Recommendations** For versions prior to 7.12.3, update to version 7.12.3 or later. For versions 8.x prior to 8.0.2, update to version 8.0.2 or later.

Name of the Vulnerable Software and Affected Versions: SuiteCRM versions 7.12.2 and earlier, 8.x versions prior to 8.0.1 Description: The issue allows authenticated SQL injection via the Tooltips action in the Project module, involving `resource id` and `start date`. This can be exploited by authenticated users. Recommendations: For SuiteCRM versions 7.12.2 and earlier, update to version 7.12.2 or later. For SuiteCRM 8.x versions prior to 8.0.1, update to version 8.0.1 or later. As a temporary workaround, consider restricting access to the Tooltips action in the Project module until a patch is available.