VYPR

Vtigercrm

by Vtiger

CVEs (52)

  • CVE-2009-3247Sep 18, 2009
    risk 0.03cvss epss 0.03

    Cross-site scripting (XSS) vulnerability in the Activities module in vtiger CRM 5.0.4 allows remote attackers to inject arbitrary web script or HTML via the action parameter to phprint.php. NOTE: the query_string vector is already covered by CVE-2008-3101.3.

  • CVE-2008-3101Sep 3, 2008
    risk 0.03cvss epss 0.04

    Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to inject arbitrary web script or HTML via (1) the parenttab parameter in an index action to the Products module, as reachable through index.php; (2) the user_password parameter in an…

  • CVE-2005-3819Nov 26, 2005
    risk 0.03cvss epss 0.03

    Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary SQL commands and bypass authentication via the (1) user_name and (2) date parameter in the HelpDesk module.

  • CVE-2005-3818Nov 26, 2005
    risk 0.03cvss epss 0.05

    Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) various input fields, including the contact, lead, and first or last name fields, (2) the record parameter in a DetailView…

  • CVE-2014-2269Apr 22, 2014
    risk 0.01cvss epss 0.16

    modules/Users/ForgotPassword.php in vTiger 6.0 before Security Patch 2 allows remote attackers to reset the password for arbitrary users via a request containing the username, password, and confirmPassword parameters.

  • CVE-2010-3910Nov 26, 2010
    risk 0.01cvss epss 0.07

    Multiple directory traversal vulnerabilities in the return_application_language function in include/utils/utils.php in vtiger CRM before 5.2.1 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the lang_crm parameter to phprint.php or…

  • CVE-2013-7326Feb 14, 2014
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in vTiger CRM 5.4.0 allows remote attackers to inject arbitrary web script or HTML via the (1) return_url parameter to modules\com_vtiger_workflow\savetemplate.php, or unspecified vectors to (2) deletetask.php, (3) edittask.php, (4)…

  • CVE-2011-4680Dec 7, 2011
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in the customer portal in vtiger CRM before 5.2.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2011-4679Dec 7, 2011
    risk 0.00cvss epss 0.01

    vtiger CRM before 5.3.0 does not properly recognize the disabled status of a field in the Leads module, which allows remote authenticated users to bypass intended access restrictions by reading a previously created report.

  • CVE-2010-3911Nov 26, 2010
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM before 5.2.1 allow remote attackers to inject arbitrary web script or HTML via (1) the username (aka default_user_name) field or (2) the password field in a Users Login action to index.php, or (3) the label…

  • CVE-2010-3909Nov 26, 2010
    risk 0.00cvss epss 0.02

    Incomplete blacklist vulnerability in config.template.php in vtiger CRM before 5.2.1 allows remote authenticated users to execute arbitrary code by using the draft save feature in the Compose Mail component to upload a file with a .phtml extension, and then accessing this file…

  • CVE-2009-3258Sep 18, 2009
    risk 0.00cvss epss 0.02

    vtiger CRM before 5.1.0 allows remote authenticated users, with certain View privileges, to delete (1) attachments, (2) reports, (3) filters, (4) views, and (5) tickets; insert (6) attachments, (7) reports, (8) filters, (9) views, and (10) tickets; and edit (11) reports, (12)…

  • CVE-2009-3257Sep 18, 2009
    risk 0.00cvss epss 0.01

    vtiger CRM before 5.1.0 allows remote authenticated users to bypass the permissions on the (1) Account Billing Address and (2) Shipping Address fields in a profile by creating a Sales Order (SO) associated with that profile.

  • CVE-2009-3251Sep 18, 2009
    risk 0.00cvss epss 0.01

    include/utils/ListViewUtils.php in vtiger CRM before 5.1.0 allows remote authenticated users to bypass intended access restrictions and read the (1) visibility, (2) location, and (3) recurrence fields of a calendar via a custom view.

  • CVE-2008-3458Aug 4, 2008
    risk 0.00cvss epss 0.03

    Vtiger CRM before 5.0.4 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read mail merge templates via a direct request to the wordtemplatedownload directory.

  • CVE-2007-3617Jul 6, 2007
    risk 0.00cvss epss 0.01

    The report module in vtiger CRM before 5.0.3 does not properly apply security rules, which allows remote authenticated users to read arbitrary private module entries.

  • CVE-2007-3598Jul 6, 2007
    risk 0.00cvss epss 0.01

    index.php in vtiger CRM before 5.0.3 allows remote authenticated users to obtain all users' names and e-mail addresses, and possibly change user settings, via a modified record parameter in a DetailView action to the Users module. NOTE: the vendor disputes the changing of…

  • CVE-2007-3599Jul 6, 2007
    risk 0.00cvss epss 0.01

    vtiger CRM before 5.0.3 allows remote authenticated users to import and export the information for a contact even when they only have the View permission.

  • CVE-2007-3600Jul 6, 2007
    risk 0.00cvss epss 0.02

    WordPlugin in the wordintegration component in vtiger CRM before 5.0.3 allows remote authenticated users to bypass field level security permissions and merge arbitrary fields in an Email template, as demonstrated by the fields in the Contact module.

  • CVE-2007-3616Jul 6, 2007
    risk 0.00cvss epss 0.01

    index.php in vtiger CRM before 5.0.3 allows remote authenticated users to perform administrative changes to arbitrary profile settings via a certain profilePrivileges action in the Users module.