Thanhlocpanda

**Name of the Vulnerable Software and Affected Versions** SuiteCRM versions prior to 7.11.19 **Description** The issue allows a remote attacker to introduce arbitrary JavaScript via a Content-Type Filter bypass to upload malicious files. This occurs because text/html is blocked, but other types that allow JavaScript execution, such as text/xml, are not blocked. **Recommendations** For versions prior to 7.11.19, update to version 7.11.19 or later to resolve the issue. As a temporary workaround, consider restricting file uploads to only necessary types and validating the Content-Type header to prevent malicious file uploads.

**Name of the Vulnerable Software and Affected Versions** SuiteCRM versions prior to 7.11.19 **Description** The issue allows a remote attacker to introduce arbitrary JavaScript via malicious SVG files, bypassing the clean file output protection mechanism. This enables the execution of arbitrary code, potentially leading to unauthorized access or data manipulation. **Recommendations** For versions prior to 7.11.19, update to version 7.11.19 or later to resolve the issue. As a temporary workaround, consider restricting the upload of SVG files or disabling the web interface until the update is applied.