Paul1278

**Name of the Vulnerable Software and Affected Versions** SuiteCRM versions 7.14.0 through 7.14.6 **Description** SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. A Cross Site Scripting (XSS) vulnerability exists in the email viewer. An external attacker could send a prepared message to the inbox of the SuiteCRM instance. By viewing emails as a logged-in user, the payload can be triggered, allowing an attacker to run arbitrary actions as that user – potentially extracting data or taking over the instance if the logged-in user is an administrator. **Recommendations** Update to SuiteCRM version 7.14.7.

**Name of the Vulnerable Software and Affected Versions** SuiteCRM version 7.14.6 **Description** SuiteCRM is an open-source Customer Relationship Management (CRM) software application. A vulnerability exists that allows unauthenticated downloads of any file from the upload-directory, provided the file is named using an ID (e.g., attachments). An unauthenticated attacker could download internal files by discovering a valid file-ID. Valid IDs could be brute-forced, although this may be time-consuming as the file-IDs are typically UUIDs. **Recommendations** Upgrade to SuiteCRM version 7.14.7 or later.