CRM
by Frappe
Source repositories
CVEs (14)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-2380 | Med | 0.66 | 6.6 | 0.29 | KEV | Mar 1, 2018 | SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing "traverse to parent directory" are passed through to the file APIs. | |
| CVE-2013-3214 | 0.10 | — | 0.85 | Jan 28, 2020 | vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in 'vtigerolservice.php'. | |||
| CVE-2013-3591 | 0.09 | — | 0.43 | Feb 7, 2020 | vTiger CRM 5.3 and 5.4: 'files' Upload Folder Arbitrary PHP Code Execution Vulnerability | |||
| CVE-2013-3215 | 0.09 | — | 0.69 | Jan 29, 2020 | vtiger CRM 5.4.0 and earlier contain an Authentication Bypass Vulnerability due to improper authentication validation in the validateSession function. | |||
| CVE-2013-3212 | 0.05 | — | 0.08 | Jan 28, 2020 | vtiger CRM 5.4.0 and earlier contain local file-include vulnerabilities in 'customerportal.php' which allows remote attackers to view files and execute local script code. | |||
| CVE-2019-5009 | 0.04 | — | 0.10 | Jan 4, 2019 | Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension "php3" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using "<? ?>" tags, as demonstrated by a… | |||
| CVE-2005-3819 | 0.03 | — | 0.03 | Nov 26, 2005 | Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary SQL commands and bypass authentication via the (1) user_name and (2) date parameter in the HelpDesk module. | |||
| CVE-2025-68928 | 0.00 | — | 0.00 | Dec 29, 2025 | Frappe CRM is an open-source customer relationship management tool. Prior to version 1.56.2, authenticated users could set crafted URLs in a website field, which were not sanitized, causing cross-site scripting. Version 1.56.2 fixes the issue. No known workarounds are available. | |||
| CVE-2023-38891 | 0.00 | — | 0.01 | Sep 14, 2023 | SQL injection vulnerability in Vtiger CRM v.7.5.0 allows a remote authenticated attacker to escalate privileges via the getQueryColumnsList function in ReportRun.php. | |||
| CVE-2023-27897 | 0.00 | — | 0.01 | Apr 11, 2023 | In SAP CRM - versions 700, 701, 702, 712, 713, an attacker who is authenticated with a non-administrative role and a common remote execution authorization can use a vulnerable interface to execute an application function to perform actions which they would not normally be… | |||
| CVE-2022-38335 | 0.00 | — | 0.01 | Sep 27, 2022 | Vtiger CRM v7.4.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the e-mail template modules. | |||
| CVE-2006-4617 | 0.00 | — | 0.01 | Sep 7, 2006 | Unrestricted file upload vulnerability in fileupload.html in vtiger CRM 4.2.4, and possibly earlier versions, allows remote attackers to upload and execute arbitrary files with executable extensions in the /cashe/mails folder. | |||
| CVE-2005-3822 | 0.00 | — | 0.01 | Nov 26, 2005 | Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) username in the login form or (2) record parameter, as demonstrated in the EditView action for the Contacts module. | |||
| CVE-2005-3821 | 0.00 | — | 0.01 | Nov 26, 2005 | Cross-site scripting (XSS) vulnerability in vTiger CRM 4.2 and earlier allows remote attackers to inject arbitrary web script or HTML via multiple vectors, including the account name. |
- risk 0.66cvss 6.6epss 0.29
SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing "traverse to parent directory" are passed through to the file APIs.
- CVE-2013-3214Jan 28, 2020risk 0.10cvss —epss 0.85
vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in 'vtigerolservice.php'.
- CVE-2013-3591Feb 7, 2020risk 0.09cvss —epss 0.43
vTiger CRM 5.3 and 5.4: 'files' Upload Folder Arbitrary PHP Code Execution Vulnerability
- CVE-2013-3215Jan 29, 2020risk 0.09cvss —epss 0.69
vtiger CRM 5.4.0 and earlier contain an Authentication Bypass Vulnerability due to improper authentication validation in the validateSession function.
- CVE-2013-3212Jan 28, 2020risk 0.05cvss —epss 0.08
vtiger CRM 5.4.0 and earlier contain local file-include vulnerabilities in 'customerportal.php' which allows remote attackers to view files and execute local script code.
- CVE-2019-5009Jan 4, 2019risk 0.04cvss —epss 0.10
Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension "php3" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using "<? ?>" tags, as demonstrated by a…
- CVE-2005-3819Nov 26, 2005risk 0.03cvss —epss 0.03
Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary SQL commands and bypass authentication via the (1) user_name and (2) date parameter in the HelpDesk module.
- CVE-2025-68928Dec 29, 2025risk 0.00cvss —epss 0.00
Frappe CRM is an open-source customer relationship management tool. Prior to version 1.56.2, authenticated users could set crafted URLs in a website field, which were not sanitized, causing cross-site scripting. Version 1.56.2 fixes the issue. No known workarounds are available.
- CVE-2023-38891Sep 14, 2023risk 0.00cvss —epss 0.01
SQL injection vulnerability in Vtiger CRM v.7.5.0 allows a remote authenticated attacker to escalate privileges via the getQueryColumnsList function in ReportRun.php.
- CVE-2023-27897Apr 11, 2023risk 0.00cvss —epss 0.01
In SAP CRM - versions 700, 701, 702, 712, 713, an attacker who is authenticated with a non-administrative role and a common remote execution authorization can use a vulnerable interface to execute an application function to perform actions which they would not normally be…
- CVE-2022-38335Sep 27, 2022risk 0.00cvss —epss 0.01
Vtiger CRM v7.4.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the e-mail template modules.
- CVE-2006-4617Sep 7, 2006risk 0.00cvss —epss 0.01
Unrestricted file upload vulnerability in fileupload.html in vtiger CRM 4.2.4, and possibly earlier versions, allows remote attackers to upload and execute arbitrary files with executable extensions in the /cashe/mails folder.
- CVE-2005-3822Nov 26, 2005risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) username in the login form or (2) record parameter, as demonstrated in the EditView action for the Contacts module.
- CVE-2005-3821Nov 26, 2005risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in vTiger CRM 4.2 and earlier allows remote attackers to inject arbitrary web script or HTML via multiple vectors, including the account name.