SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the file_name parameter of the Step3 import functionality.
{
"unresolved_ranges": [
{
"vendor_product": "salesagility:suitecrm",
"cpes": [
"cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*"
],
"source": "CPE_RANGE",
"extracted_events": [
{
"fixed": "7.10.33"
},
{
"fixed": "7.10.33"
},
{
"introduced": "7.11.0"
},
{
"fixed": "7.11.22"
},
{
"introduced": "7.11.0"
},
{
"fixed": "7.11.22"
}
]
}
]
}