Vtigercrm

CVEs (57)

CVE	Vendor / Product	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2016-1713	Vtiger Vtigercrm	Hig	0.55	7.3	0.62	Apr 14, 2017	Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.4.0 allows remote authenticated users to execute arbitrary code by uploading a crafted image file with an…
CVE-2016-4834	Perfexcrm Crm	Hig	0.53	8.1	0.01	Aug 1, 2016	modules/Users/actions/Save.php in Vtiger CRM 6.4.0 and earlier does not properly restrict user-save actions, which allows remote authenticated users to create or modify user accounts via unspecified vectors.
CVE-2026-26460	Vtiger Vtigercrm	Med	0.40	6.1	0.00	Apr 13, 2026	A HTML Injection vulnerability exists in the Dashboard module of Vtiger CRM 8.4.0. The application fails to properly neutralize user-supplied input in the tabid parameter of the DashBoardTab view (getTabContents action), allowing an attacker to inject arbitrary HTML content into…
CVE-2015-6000	Vtiger Vtigercrm		0.09	—	0.77	Feb 6, 2020	Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.3.0 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an…
CVE-2014-2268	Vtiger Vtigercrm		0.09	—	0.77	Nov 16, 2014	views/Index.php in the Install module in vTiger 6.0 before Security Patch 2 does not properly restrict access, which allows remote attackers to re-install the application via a request that sets the X-Requested-With HTTP header, as demonstrated by executing arbitrary PHP code…
CVE-2011-4670	Vtiger Vtigercrm		0.06	—	0.36	Dec 2, 2011	Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 5.2.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) viewname parameter in a CalendarAjax action, (2) activity_mode parameter in a DetailView action, (3) contact_id and (4)…
CVE-2009-3249	Vtiger Vtigercrm		0.05	—	0.26	Sep 18, 2009	Multiple directory traversal vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the module parameter to graph.php; or the (2) module or (3) file parameter to include/Ajax/CommonAjax.php, reachable…
CVE-2019-5009	Vtiger Vtigercrm		0.04	—	0.13	Jan 4, 2019	Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension "php3" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using "<? ?>" tags, as demonstrated by a…
CVE-2014-1222	Vtiger Vtigercrm		0.04	—	0.10	Aug 12, 2014	Directory traversal vulnerability in kcfinder/browse.php in Vtiger CRM before 6.0.0 Security patch 1 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter in a download action. NOTE: it is likely that this issue is actually in the…
CVE-2009-3250	Vtiger Vtigercrm		0.04	—	0.17	Sep 18, 2009	The saveForwardAttachments procedure in the Compose Mail functionality in vtiger CRM 5.0.4 allows remote authenticated users to execute arbitrary code by composing an e-mail message with an attachment filename ending in (1) .php in installations based on certain Apache HTTP…
CVE-2008-3101	Vtiger Vtigercrm		0.04	—	0.07	Sep 3, 2008	Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to inject arbitrary web script or HTML via (1) the parenttab parameter in an index action to the Products module, as reachable through index.php; (2) the user_password parameter in an…
CVE-2006-5289	Vtiger Vtigercrm		0.04	—	0.12	Oct 13, 2006	Multiple PHP remote file inclusion vulnerabilities in Vtiger CRM 4.2 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the calpath parameter to (1) modules/Calendar/admin/update.php, (2) modules/Calendar/admin/scheme.php, or (3)…
CVE-2013-3213	Perfexcrm Crm		0.03	—	0.00	Apr 2, 2014	Multiple SQL injection vulnerabilities in vTiger CRM 5.0.0 through 5.4.0 allow remote attackers to execute arbitrary SQL commands via the (1) picklist_name parameter in the get_picklists method to soap/customerportal.php, (2) where parameter in the get_tickets_list method to…
CVE-2013-5091	Vtiger Vtigercrm		0.03	—	0.00	Oct 4, 2013	SQL injection vulnerability in CalendarCommon.php in vTiger CRM 5.4.0 and possibly earlier allows remote authenticated users to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php. NOTE: this issue might be a duplicate of CVE-2011-4559.
CVE-2012-4867	Vtiger Vtigercrm		0.03	—	0.05	Sep 6, 2012	Directory traversal vulnerability in modules/com_vtiger_workflow/sortfieldsjson.php in vtiger CRM 5.1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the module_name parameter.
CVE-2011-4559	Vtiger Vtigercrm		0.03	—	0.01	Nov 28, 2011	SQL injection vulnerability in the Calendar module in vTiger CRM 5.2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php.
CVE-2009-3248	Vtiger Vtigercrm		0.03	—	0.00	Sep 18, 2009	Cross-site request forgery (CSRF) vulnerability in the RSS module in vtiger CRM 5.0.4 allows remote attackers to hijack the authentication of Admin users for requests that modify the news feed system via the rssurl parameter in a Save action to index.php.
CVE-2009-3247	Vtiger Vtigercrm		0.03	—	0.05	Sep 18, 2009	Cross-site scripting (XSS) vulnerability in the Activities module in vtiger CRM 5.0.4 allows remote attackers to inject arbitrary web script or HTML via the action parameter to phprint.php. NOTE: the query_string vector is already covered by CVE-2008-3101.3.
CVE-2005-3818	Vtiger Vtigercrm		0.03	—	0.02	Nov 26, 2005	Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) various input fields, including the contact, lead, and first or last name fields, (2) the record parameter in a DetailView…
CVE-2005-3819	Vtiger Vtigercrm		0.03	—	0.02	Nov 26, 2005	Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary SQL commands and bypass authentication via the (1) user_name and (2) date parameter in the HelpDesk module.

CVE-2016-1713HigApr 14, 2017
Vtiger
Vtigercrm
risk 0.55cvss 7.3epss 0.62
Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.4.0 allows remote authenticated users to execute arbitrary code by uploading a crafted image file with an…
CVE-2016-4834HigAug 1, 2016
Perfexcrm
Crm
risk 0.53cvss 8.1epss 0.01
modules/Users/actions/Save.php in Vtiger CRM 6.4.0 and earlier does not properly restrict user-save actions, which allows remote authenticated users to create or modify user accounts via unspecified vectors.
CVE-2026-26460MedApr 13, 2026
Vtiger
Vtigercrm
risk 0.40cvss 6.1epss 0.00
A HTML Injection vulnerability exists in the Dashboard module of Vtiger CRM 8.4.0. The application fails to properly neutralize user-supplied input in the tabid parameter of the DashBoardTab view (getTabContents action), allowing an attacker to inject arbitrary HTML content into…
CVE-2015-6000Feb 6, 2020
Vtiger
Vtigercrm
risk 0.09cvss —epss 0.77
Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.3.0 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an…
CVE-2014-2268Nov 16, 2014
Vtiger
Vtigercrm
risk 0.09cvss —epss 0.77
views/Index.php in the Install module in vTiger 6.0 before Security Patch 2 does not properly restrict access, which allows remote attackers to re-install the application via a request that sets the X-Requested-With HTTP header, as demonstrated by executing arbitrary PHP code…
CVE-2011-4670Dec 2, 2011
Vtiger
Vtigercrm
risk 0.06cvss —epss 0.36
Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 5.2.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) viewname parameter in a CalendarAjax action, (2) activity_mode parameter in a DetailView action, (3) contact_id and (4)…
CVE-2009-3249Sep 18, 2009
Vtiger
Vtigercrm
risk 0.05cvss —epss 0.26
Multiple directory traversal vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the module parameter to graph.php; or the (2) module or (3) file parameter to include/Ajax/CommonAjax.php, reachable…
CVE-2019-5009Jan 4, 2019
Vtiger
Vtigercrm
risk 0.04cvss —epss 0.13
Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension "php3" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using "<? ?>" tags, as demonstrated by a…
CVE-2014-1222Aug 12, 2014
Vtiger
Vtigercrm
risk 0.04cvss —epss 0.10
Directory traversal vulnerability in kcfinder/browse.php in Vtiger CRM before 6.0.0 Security patch 1 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter in a download action. NOTE: it is likely that this issue is actually in the…
CVE-2009-3250Sep 18, 2009
Vtiger
Vtigercrm
risk 0.04cvss —epss 0.17
The saveForwardAttachments procedure in the Compose Mail functionality in vtiger CRM 5.0.4 allows remote authenticated users to execute arbitrary code by composing an e-mail message with an attachment filename ending in (1) .php in installations based on certain Apache HTTP…
CVE-2008-3101Sep 3, 2008
Vtiger
Vtigercrm
risk 0.04cvss —epss 0.07
Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to inject arbitrary web script or HTML via (1) the parenttab parameter in an index action to the Products module, as reachable through index.php; (2) the user_password parameter in an…
CVE-2006-5289Oct 13, 2006
Vtiger
Vtigercrm
risk 0.04cvss —epss 0.12
Multiple PHP remote file inclusion vulnerabilities in Vtiger CRM 4.2 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the calpath parameter to (1) modules/Calendar/admin/update.php, (2) modules/Calendar/admin/scheme.php, or (3)…
CVE-2013-3213Apr 2, 2014
Perfexcrm
Crm
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in vTiger CRM 5.0.0 through 5.4.0 allow remote attackers to execute arbitrary SQL commands via the (1) picklist_name parameter in the get_picklists method to soap/customerportal.php, (2) where parameter in the get_tickets_list method to…
CVE-2013-5091Oct 4, 2013
Vtiger
Vtigercrm
risk 0.03cvss —epss 0.00
SQL injection vulnerability in CalendarCommon.php in vTiger CRM 5.4.0 and possibly earlier allows remote authenticated users to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php. NOTE: this issue might be a duplicate of CVE-2011-4559.
CVE-2012-4867Sep 6, 2012
Vtiger
Vtigercrm
risk 0.03cvss —epss 0.05
Directory traversal vulnerability in modules/com_vtiger_workflow/sortfieldsjson.php in vtiger CRM 5.1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the module_name parameter.
CVE-2011-4559Nov 28, 2011
Vtiger
Vtigercrm
risk 0.03cvss —epss 0.01
SQL injection vulnerability in the Calendar module in vTiger CRM 5.2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php.
CVE-2009-3248Sep 18, 2009
Vtiger
Vtigercrm
risk 0.03cvss —epss 0.00
Cross-site request forgery (CSRF) vulnerability in the RSS module in vtiger CRM 5.0.4 allows remote attackers to hijack the authentication of Admin users for requests that modify the news feed system via the rssurl parameter in a Save action to index.php.
CVE-2009-3247Sep 18, 2009
Vtiger
Vtigercrm
risk 0.03cvss —epss 0.05
Cross-site scripting (XSS) vulnerability in the Activities module in vtiger CRM 5.0.4 allows remote attackers to inject arbitrary web script or HTML via the action parameter to phprint.php. NOTE: the query_string vector is already covered by CVE-2008-3101.3.
CVE-2005-3818Nov 26, 2005
Vtiger
Vtigercrm
risk 0.03cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) various input fields, including the contact, lead, and first or last name fields, (2) the record parameter in a DetailView…
CVE-2005-3819Nov 26, 2005
Vtiger
Vtigercrm
risk 0.03cvss —epss 0.02
Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary SQL commands and bypass authentication via the (1) user_name and (2) date parameter in the HelpDesk module.

Page 1 of 3