Vtigercrm
by Vtiger
CVEs (52)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2009-3247 | 0.03 | — | 0.03 | Sep 18, 2009 | Cross-site scripting (XSS) vulnerability in the Activities module in vtiger CRM 5.0.4 allows remote attackers to inject arbitrary web script or HTML via the action parameter to phprint.php. NOTE: the query_string vector is already covered by CVE-2008-3101.3. | |||
| CVE-2008-3101 | 0.03 | — | 0.04 | Sep 3, 2008 | Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to inject arbitrary web script or HTML via (1) the parenttab parameter in an index action to the Products module, as reachable through index.php; (2) the user_password parameter in an… | |||
| CVE-2005-3819 | 0.03 | — | 0.03 | Nov 26, 2005 | Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary SQL commands and bypass authentication via the (1) user_name and (2) date parameter in the HelpDesk module. | |||
| CVE-2005-3818 | 0.03 | — | 0.05 | Nov 26, 2005 | Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) various input fields, including the contact, lead, and first or last name fields, (2) the record parameter in a DetailView… | |||
| CVE-2014-2269 | 0.01 | — | 0.16 | Apr 22, 2014 | modules/Users/ForgotPassword.php in vTiger 6.0 before Security Patch 2 allows remote attackers to reset the password for arbitrary users via a request containing the username, password, and confirmPassword parameters. | |||
| CVE-2010-3910 | 0.01 | — | 0.07 | Nov 26, 2010 | Multiple directory traversal vulnerabilities in the return_application_language function in include/utils/utils.php in vtiger CRM before 5.2.1 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the lang_crm parameter to phprint.php or… | |||
| CVE-2013-7326 | 0.00 | — | 0.02 | Feb 14, 2014 | Cross-site scripting (XSS) vulnerability in vTiger CRM 5.4.0 allows remote attackers to inject arbitrary web script or HTML via the (1) return_url parameter to modules\com_vtiger_workflow\savetemplate.php, or unspecified vectors to (2) deletetask.php, (3) edittask.php, (4)… | |||
| CVE-2011-4680 | 0.00 | — | 0.01 | Dec 7, 2011 | Multiple cross-site scripting (XSS) vulnerabilities in the customer portal in vtiger CRM before 5.2.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2011-4679 | 0.00 | — | 0.01 | Dec 7, 2011 | vtiger CRM before 5.3.0 does not properly recognize the disabled status of a field in the Leads module, which allows remote authenticated users to bypass intended access restrictions by reading a previously created report. | |||
| CVE-2010-3911 | 0.00 | — | 0.01 | Nov 26, 2010 | Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM before 5.2.1 allow remote attackers to inject arbitrary web script or HTML via (1) the username (aka default_user_name) field or (2) the password field in a Users Login action to index.php, or (3) the label… | |||
| CVE-2010-3909 | 0.00 | — | 0.02 | Nov 26, 2010 | Incomplete blacklist vulnerability in config.template.php in vtiger CRM before 5.2.1 allows remote authenticated users to execute arbitrary code by using the draft save feature in the Compose Mail component to upload a file with a .phtml extension, and then accessing this file… | |||
| CVE-2009-3258 | 0.00 | — | 0.02 | Sep 18, 2009 | vtiger CRM before 5.1.0 allows remote authenticated users, with certain View privileges, to delete (1) attachments, (2) reports, (3) filters, (4) views, and (5) tickets; insert (6) attachments, (7) reports, (8) filters, (9) views, and (10) tickets; and edit (11) reports, (12)… | |||
| CVE-2009-3257 | 0.00 | — | 0.01 | Sep 18, 2009 | vtiger CRM before 5.1.0 allows remote authenticated users to bypass the permissions on the (1) Account Billing Address and (2) Shipping Address fields in a profile by creating a Sales Order (SO) associated with that profile. | |||
| CVE-2009-3251 | 0.00 | — | 0.01 | Sep 18, 2009 | include/utils/ListViewUtils.php in vtiger CRM before 5.1.0 allows remote authenticated users to bypass intended access restrictions and read the (1) visibility, (2) location, and (3) recurrence fields of a calendar via a custom view. | |||
| CVE-2008-3458 | 0.00 | — | 0.03 | Aug 4, 2008 | Vtiger CRM before 5.0.4 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read mail merge templates via a direct request to the wordtemplatedownload directory. | |||
| CVE-2007-3617 | 0.00 | — | 0.01 | Jul 6, 2007 | The report module in vtiger CRM before 5.0.3 does not properly apply security rules, which allows remote authenticated users to read arbitrary private module entries. | |||
| CVE-2007-3598 | 0.00 | — | 0.01 | Jul 6, 2007 | index.php in vtiger CRM before 5.0.3 allows remote authenticated users to obtain all users' names and e-mail addresses, and possibly change user settings, via a modified record parameter in a DetailView action to the Users module. NOTE: the vendor disputes the changing of… | |||
| CVE-2007-3599 | 0.00 | — | 0.01 | Jul 6, 2007 | vtiger CRM before 5.0.3 allows remote authenticated users to import and export the information for a contact even when they only have the View permission. | |||
| CVE-2007-3600 | 0.00 | — | 0.02 | Jul 6, 2007 | WordPlugin in the wordintegration component in vtiger CRM before 5.0.3 allows remote authenticated users to bypass field level security permissions and merge arbitrary fields in an Email template, as demonstrated by the fields in the Contact module. | |||
| CVE-2007-3616 | 0.00 | — | 0.01 | Jul 6, 2007 | index.php in vtiger CRM before 5.0.3 allows remote authenticated users to perform administrative changes to arbitrary profile settings via a certain profilePrivileges action in the Users module. |
- CVE-2009-3247Sep 18, 2009risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in the Activities module in vtiger CRM 5.0.4 allows remote attackers to inject arbitrary web script or HTML via the action parameter to phprint.php. NOTE: the query_string vector is already covered by CVE-2008-3101.3.
- CVE-2008-3101Sep 3, 2008risk 0.03cvss —epss 0.04
Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to inject arbitrary web script or HTML via (1) the parenttab parameter in an index action to the Products module, as reachable through index.php; (2) the user_password parameter in an…
- CVE-2005-3819Nov 26, 2005risk 0.03cvss —epss 0.03
Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary SQL commands and bypass authentication via the (1) user_name and (2) date parameter in the HelpDesk module.
- CVE-2005-3818Nov 26, 2005risk 0.03cvss —epss 0.05
Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) various input fields, including the contact, lead, and first or last name fields, (2) the record parameter in a DetailView…
- CVE-2014-2269Apr 22, 2014risk 0.01cvss —epss 0.16
modules/Users/ForgotPassword.php in vTiger 6.0 before Security Patch 2 allows remote attackers to reset the password for arbitrary users via a request containing the username, password, and confirmPassword parameters.
- CVE-2010-3910Nov 26, 2010risk 0.01cvss —epss 0.07
Multiple directory traversal vulnerabilities in the return_application_language function in include/utils/utils.php in vtiger CRM before 5.2.1 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the lang_crm parameter to phprint.php or…
- CVE-2013-7326Feb 14, 2014risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in vTiger CRM 5.4.0 allows remote attackers to inject arbitrary web script or HTML via the (1) return_url parameter to modules\com_vtiger_workflow\savetemplate.php, or unspecified vectors to (2) deletetask.php, (3) edittask.php, (4)…
- CVE-2011-4680Dec 7, 2011risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in the customer portal in vtiger CRM before 5.2.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2011-4679Dec 7, 2011risk 0.00cvss —epss 0.01
vtiger CRM before 5.3.0 does not properly recognize the disabled status of a field in the Leads module, which allows remote authenticated users to bypass intended access restrictions by reading a previously created report.
- CVE-2010-3911Nov 26, 2010risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM before 5.2.1 allow remote attackers to inject arbitrary web script or HTML via (1) the username (aka default_user_name) field or (2) the password field in a Users Login action to index.php, or (3) the label…
- CVE-2010-3909Nov 26, 2010risk 0.00cvss —epss 0.02
Incomplete blacklist vulnerability in config.template.php in vtiger CRM before 5.2.1 allows remote authenticated users to execute arbitrary code by using the draft save feature in the Compose Mail component to upload a file with a .phtml extension, and then accessing this file…
- CVE-2009-3258Sep 18, 2009risk 0.00cvss —epss 0.02
vtiger CRM before 5.1.0 allows remote authenticated users, with certain View privileges, to delete (1) attachments, (2) reports, (3) filters, (4) views, and (5) tickets; insert (6) attachments, (7) reports, (8) filters, (9) views, and (10) tickets; and edit (11) reports, (12)…
- CVE-2009-3257Sep 18, 2009risk 0.00cvss —epss 0.01
vtiger CRM before 5.1.0 allows remote authenticated users to bypass the permissions on the (1) Account Billing Address and (2) Shipping Address fields in a profile by creating a Sales Order (SO) associated with that profile.
- CVE-2009-3251Sep 18, 2009risk 0.00cvss —epss 0.01
include/utils/ListViewUtils.php in vtiger CRM before 5.1.0 allows remote authenticated users to bypass intended access restrictions and read the (1) visibility, (2) location, and (3) recurrence fields of a calendar via a custom view.
- CVE-2008-3458Aug 4, 2008risk 0.00cvss —epss 0.03
Vtiger CRM before 5.0.4 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read mail merge templates via a direct request to the wordtemplatedownload directory.
- CVE-2007-3617Jul 6, 2007risk 0.00cvss —epss 0.01
The report module in vtiger CRM before 5.0.3 does not properly apply security rules, which allows remote authenticated users to read arbitrary private module entries.
- CVE-2007-3598Jul 6, 2007risk 0.00cvss —epss 0.01
index.php in vtiger CRM before 5.0.3 allows remote authenticated users to obtain all users' names and e-mail addresses, and possibly change user settings, via a modified record parameter in a DetailView action to the Users module. NOTE: the vendor disputes the changing of…
- CVE-2007-3599Jul 6, 2007risk 0.00cvss —epss 0.01
vtiger CRM before 5.0.3 allows remote authenticated users to import and export the information for a contact even when they only have the View permission.
- CVE-2007-3600Jul 6, 2007risk 0.00cvss —epss 0.02
WordPlugin in the wordintegration component in vtiger CRM before 5.0.3 allows remote authenticated users to bypass field level security permissions and merge arbitrary fields in an Email template, as demonstrated by the fields in the Contact module.
- CVE-2007-3616Jul 6, 2007risk 0.00cvss —epss 0.01
index.php in vtiger CRM before 5.0.3 allows remote authenticated users to perform administrative changes to arbitrary profile settings via a certain profilePrivileges action in the Users module.
Page 2 of 3