VYPR

CRM

by Rukovoditel

CVEs (24)

  • CVE-2026-31845CriApr 11, 2026
    risk 0.60cvss 9.3epss 0.01

    A reflected cross-site scripting (XSS) vulnerability exists in Rukovoditel CRM version 3.6.4 and earlier in the Zadarma telephony API endpoint (/api/tel/zadarma.php). The application directly reflects user-supplied input from the 'zd_echo' GET parameter into the HTTP response…

  • CVE-2025-5993CriSep 8, 2025
    risk 0.60cvss epss 0.01

    ITCube CRM in versions from 2023.2 through 2025.2 is vulnerable to path traversal. Unauthenticated remote attacker is able to exploit vulnerable parameter fileName and construct payloads that allow to download any file accessible by the the web server process.

  • CVE-2024-40530HigAug 5, 2024
    risk 0.49cvss 7.5epss 0.00

    A vulnerability in Pantera CRM versions 401.152 and 402.072 allows unauthorized attackers to bypass IP-based access controls by manipulating the X-Forwarded-For header.

  • CVE-2025-14189HigDec 7, 2025
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was detected in Chanjet CRM up to 20251121. Affected is an unknown function of the file /tools/jxf_dump_table_demo.php. The manipulation of the argument gblOrgID results in sql injection. The attack may be performed from remote. The exploit is now public and may…

  • CVE-2025-13788HigNov 30, 2025
    risk 0.47cvss 7.3epss 0.00

    A vulnerability has been found in Chanjet CRM up to 20251106. The impacted element is an unknown function of the file /tools/upgradeattribute.php. The manipulation of the argument gblOrgID leads to sql injection. The attack can be initiated remotely. The exploit has been…

  • CVE-2025-60375HigOct 9, 2025
    risk 0.47cvss 7.3epss 0.00

    The authentication mechanism in Perfex CRM before 3.3.1 allows attackers to bypass login credentials due to insufficient server-side validation. By sending empty username and password parameters in the login request, an attacker can gain unauthorized access to user accounts,…

  • CVE-2025-7915HigJul 21, 2025
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was found in Chanjet CRM 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /mail/mailinactive.php of the component Login Page. The manipulation leads to sql injection. The attack may be launched remotely. The exploit…

  • CVE-2025-7801HigJul 18, 2025
    risk 0.47cvss 7.3epss 0.00

    A vulnerability has been found in BossSoft CRM 6.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /crm/module/HNDCBas_customPrmSearchDtl.jsp. The manipulation of the argument cstid leads to sql injection. The attack can be…

  • CVE-2025-6132HigJun 16, 2025
    risk 0.47cvss 7.3epss 0.00

    A vulnerability has been found in Chanjet CRM 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /sysconfig/departmentsetting.php. The manipulation of the argument gblOrgID leads to sql injection. The attack can be launched…

  • CVE-2025-27430LowMar 11, 2025
    risk 0.23cvss 3.5epss 0.00

    Under certain conditions, an SSRF vulnerability in SAP CRM and SAP S/4HANA (Interaction Center) allows an attacker with low privileges to access restricted information. This flaw enables the attacker to send requests to internal network resources, thereby compromising the…

  • CVE-2023-46304Apr 30, 2024
    risk 0.02cvss epss 0.02

    modules/Users/models/Module.php in Vtiger CRM 7.5.0 allows a remote authenticated attacker to run arbitrary PHP code because an unprotected endpoint allows them to write this code to the config.inc.php file (executed on every page load).

  • CVE-2026-26720Mar 2, 2026
    risk 0.00cvss epss 0.01

    An issue in Twenty CRM v1.15.0 and before allows a remote attacker to execute arbitrary code via the local.driver.ts module.

  • CVE-2026-0488Feb 10, 2026
    risk 0.00cvss epss 0.00

    An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads to a full database…

  • CVE-2025-10345Sep 29, 2025
    risk 0.00cvss epss 0.00

    HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameters 'name' and 'address' at the endpoint 'admin/leads/lead'.

  • CVE-2025-10344Sep 29, 2025
    risk 0.00cvss epss 0.00

    HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameters 'name' and 'clientid' at the endpoint '/projects/project/x'.

  • CVE-2025-10343Sep 29, 2025
    risk 0.00cvss epss 0.00

    HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameter 'expense_name' at the endpoint '/expenses/expense'.

  • CVE-2025-10342Sep 29, 2025
    risk 0.00cvss epss 0.00

    HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameter 'name' at the endpoint '/subscriptions/create'.

  • CVE-2025-10341Sep 29, 2025
    risk 0.00cvss epss 0.00

    HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameter 'company' at the endpoint '/clients/client/x.

  • CVE-2025-5152May 25, 2025
    risk 0.00cvss epss 0.00

    A vulnerability classified as critical was found in Chanjet CRM up to 20250510. This vulnerability affects unknown code of the file /activity/newActivityedit.php?DontCheckLogin=1&id=null&ret=mod1. The manipulation of the argument gblOrgID leads to sql injection. The attack can…

  • CVE-2025-1618Feb 24, 2025
    risk 0.00cvss epss 0.00

    A vulnerability has been found in vTiger CRM 6.4.0/6.5.0 and classified as problematic. This vulnerability affects unknown code of the file /modules/Mobile/index.php. The manipulation of the argument _operation leads to cross site scripting. The attack can be initiated remotely.…

Page 1 of 2