VYPR

CRM

by Frappe

Source repositories

CVEs (14)

  • CVE-2018-2380MedKEVMar 1, 2018
    risk 0.66cvss 6.6epss 0.29

    SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing "traverse to parent directory" are passed through to the file APIs.

  • CVE-2013-3214Jan 28, 2020
    risk 0.10cvss epss 0.85

    vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in 'vtigerolservice.php'.

  • CVE-2013-3591Feb 7, 2020
    risk 0.09cvss epss 0.43

    vTiger CRM 5.3 and 5.4: 'files' Upload Folder Arbitrary PHP Code Execution Vulnerability

  • CVE-2013-3215Jan 29, 2020
    risk 0.09cvss epss 0.69

    vtiger CRM 5.4.0 and earlier contain an Authentication Bypass Vulnerability due to improper authentication validation in the validateSession function.

  • CVE-2013-3212Jan 28, 2020
    risk 0.05cvss epss 0.08

    vtiger CRM 5.4.0 and earlier contain local file-include vulnerabilities in 'customerportal.php' which allows remote attackers to view files and execute local script code.

  • CVE-2019-5009Jan 4, 2019
    risk 0.04cvss epss 0.10

    Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension "php3" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using "<? ?>" tags, as demonstrated by a…

  • CVE-2005-3819Nov 26, 2005
    risk 0.03cvss epss 0.03

    Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary SQL commands and bypass authentication via the (1) user_name and (2) date parameter in the HelpDesk module.

  • CVE-2025-68928Dec 29, 2025
    risk 0.00cvss epss 0.00

    Frappe CRM is an open-source customer relationship management tool. Prior to version 1.56.2, authenticated users could set crafted URLs in a website field, which were not sanitized, causing cross-site scripting. Version 1.56.2 fixes the issue. No known workarounds are available.

  • CVE-2023-38891Sep 14, 2023
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in Vtiger CRM v.7.5.0 allows a remote authenticated attacker to escalate privileges via the getQueryColumnsList function in ReportRun.php.

  • CVE-2023-27897Apr 11, 2023
    risk 0.00cvss epss 0.01

    In SAP CRM - versions 700, 701, 702, 712, 713, an attacker who is authenticated with a non-administrative role and a common remote execution authorization can use a vulnerable interface to execute an application function to perform actions which they would not normally be…

  • CVE-2022-38335Sep 27, 2022
    risk 0.00cvss epss 0.01

    Vtiger CRM v7.4.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the e-mail template modules.

  • CVE-2006-4617Sep 7, 2006
    risk 0.00cvss epss 0.01

    Unrestricted file upload vulnerability in fileupload.html in vtiger CRM 4.2.4, and possibly earlier versions, allows remote attackers to upload and execute arbitrary files with executable extensions in the /cashe/mails folder.

  • CVE-2005-3822Nov 26, 2005
    risk 0.00cvss epss 0.01

    Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) username in the login form or (2) record parameter, as demonstrated in the EditView action for the Contacts module.

  • CVE-2005-3821Nov 26, 2005
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in vTiger CRM 4.2 and earlier allows remote attackers to inject arbitrary web script or HTML via multiple vectors, including the account name.