VYPR

vTiger

by Vtiger

CVEs (42)

  • CVE-2013-3214CriJan 28, 2020
    risk 0.73cvss 9.8epss 0.85

    vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in 'vtigerolservice.php'.

  • CVE-2013-3591HigFeb 7, 2020
    risk 0.64cvss 8.8epss 0.43

    vTiger CRM 5.3 and 5.4: 'files' Upload Folder Arbitrary PHP Code Execution Vulnerability

  • CVE-2015-6000HigFeb 6, 2020
    risk 0.63cvss 8.8epss 0.40

    Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.3.0 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an…

  • CVE-2024-44777CriAug 29, 2024
    risk 0.62cvss 9.6epss 0.01

    A reflected cross-site scripting (XSS) vulnerability in the tag parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.

  • CVE-2019-19202HigNov 21, 2019
    risk 0.57cvss 8.8epss 0.01

    In Vtiger 7.x before 7.2.0, the My Preferences saving functionality allows a user without administrative privileges to change his own role by adding roleid=H2 to a POST request.

  • CVE-2016-10754HigMay 24, 2019
    risk 0.57cvss 8.8epss 0.01

    modules/Calendar/Activity.php in Vtiger CRM 6.5.0 allows SQL injection via the contactidlist parameter.

  • CVE-2019-11057HigMay 17, 2019
    risk 0.57cvss 8.8epss 0.01

    SQL injection vulnerability in Vtiger CRM before 7.1.0 hotfix3 allows authenticated users to execute arbitrary SQL commands.

  • CVE-2013-3212HigJan 28, 2020
    risk 0.56cvss 8.1epss 0.08

    vtiger CRM 5.4.0 and earlier contain local file-include vulnerabilities in 'customerportal.php' which allows remote attackers to view files and execute local script code.

  • CVE-2024-42995HigAug 16, 2024
    risk 0.54cvss 8.3epss 0.00

    VTiger CRM <= 8.1.0 does not correctly check user privileges. A low-privileged user can interact directly with the "Migration" administrative module to disable arbitrary modules.

  • CVE-2023-46304HigApr 30, 2024
    risk 0.53cvss 8.1epss 0.02

    modules/Users/models/Module.php in Vtiger CRM 7.5.0 allows a remote authenticated attacker to run arbitrary PHP code because an unprotected endpoint allows them to write this code to the config.inc.php file (executed on every page load).

  • CVE-2016-4834HigAug 1, 2016
    risk 0.53cvss 8.1epss 0.02

    modules/Users/actions/Save.php in Vtiger CRM 6.4.0 and earlier does not properly restrict user-save actions, which allows remote authenticated users to create or modify user accounts via unspecified vectors.

  • CVE-2016-1713HigApr 14, 2017
    risk 0.52cvss 7.3epss 0.17

    Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.4.0 allows remote authenticated users to execute arbitrary code by uploading a crafted image file with an…

  • CVE-2025-45753HigMay 21, 2025
    risk 0.47cvss 7.2epss 0.00

    A vulnerability in Vtiger CRM Open Source Edition v8.3.0 allows an attacker with admin privileges to execute arbitrary PHP code by exploiting the ZIP import functionality in the Module Import feature.

  • CVE-2024-42994HigAug 16, 2024
    risk 0.47cvss 7.2epss 0.00

    VTiger CRM <= 8.1.0 does not properly sanitize user input before using it in a SQL statement, leading to a SQL Injection in the "CompanyDetails" operation of the "MailManager" module.

  • CVE-2025-45755MedMay 21, 2025
    risk 0.40cvss 6.1epss 0.00

    A Stored Cross-Site Scripting (XSS) vulnerability exists in Vtiger CRM Open Source Edition v8.3.0, exploitable via the Services Import feature. An attacker can craft a malicious CSV file containing an XSS payload, mapped to the Service Name field. When the file is uploaded, the…

  • CVE-2024-44776MedAug 29, 2024
    risk 0.40cvss 6.1epss 0.00

    An Open Redirect vulnerability in the page parameter of vTiger CRM v7.4.0 allows attackers to redirect users to a malicious site via a crafted URL.

  • CVE-2018-8047MedJun 6, 2019
    risk 0.40cvss 6.1epss 0.01

    vtiger CRM 7.0.1 is affected by one reflected Cross-Site Scripting (XSS) vulnerability affecting version 7.0.1 and probably prior versions. This vulnerability could allow remote unauthenticated attackers to inject arbitrary web script or HTML via…

  • CVE-2022-38335MedSep 27, 2022
    risk 0.35cvss 5.4epss 0.01

    Vtiger CRM v7.4.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the e-mail template modules.

  • CVE-2025-1618MedFeb 24, 2025
    risk 0.28cvss 4.3epss 0.00

    A vulnerability has been found in vTiger CRM 6.4.0/6.5.0 and classified as problematic. This vulnerability affects unknown code of the file /modules/Mobile/index.php. The manipulation of the argument _operation leads to cross site scripting. The attack can be initiated remotely.…

  • CVE-2014-2268Nov 16, 2014
    risk 0.05cvss epss 0.31

    views/Index.php in the Install module in vTiger 6.0 before Security Patch 2 does not properly restrict access, which allows remote attackers to re-install the application via a request that sets the X-Requested-With HTTP header, as demonstrated by executing arbitrary PHP code…

Page 1 of 3