vTiger
by Vtiger
CVEs (42)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2013-3214 | Cri | 0.73 | 9.8 | 0.85 | Jan 28, 2020 | vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in 'vtigerolservice.php'. | ||
| CVE-2013-3591 | Hig | 0.64 | 8.8 | 0.43 | Feb 7, 2020 | vTiger CRM 5.3 and 5.4: 'files' Upload Folder Arbitrary PHP Code Execution Vulnerability | ||
| CVE-2015-6000 | Hig | 0.63 | 8.8 | 0.40 | Feb 6, 2020 | Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.3.0 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an… | ||
| CVE-2024-44777 | Cri | 0.62 | 9.6 | 0.01 | Aug 29, 2024 | A reflected cross-site scripting (XSS) vulnerability in the tag parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload. | ||
| CVE-2019-19202 | Hig | 0.57 | 8.8 | 0.01 | Nov 21, 2019 | In Vtiger 7.x before 7.2.0, the My Preferences saving functionality allows a user without administrative privileges to change his own role by adding roleid=H2 to a POST request. | ||
| CVE-2016-10754 | Hig | 0.57 | 8.8 | 0.01 | May 24, 2019 | modules/Calendar/Activity.php in Vtiger CRM 6.5.0 allows SQL injection via the contactidlist parameter. | ||
| CVE-2019-11057 | Hig | 0.57 | 8.8 | 0.01 | May 17, 2019 | SQL injection vulnerability in Vtiger CRM before 7.1.0 hotfix3 allows authenticated users to execute arbitrary SQL commands. | ||
| CVE-2013-3212 | Hig | 0.56 | 8.1 | 0.08 | Jan 28, 2020 | vtiger CRM 5.4.0 and earlier contain local file-include vulnerabilities in 'customerportal.php' which allows remote attackers to view files and execute local script code. | ||
| CVE-2024-42995 | Hig | 0.54 | 8.3 | 0.00 | Aug 16, 2024 | VTiger CRM <= 8.1.0 does not correctly check user privileges. A low-privileged user can interact directly with the "Migration" administrative module to disable arbitrary modules. | ||
| CVE-2023-46304 | Hig | 0.53 | 8.1 | 0.02 | Apr 30, 2024 | modules/Users/models/Module.php in Vtiger CRM 7.5.0 allows a remote authenticated attacker to run arbitrary PHP code because an unprotected endpoint allows them to write this code to the config.inc.php file (executed on every page load). | ||
| CVE-2016-4834 | Hig | 0.53 | 8.1 | 0.02 | Aug 1, 2016 | modules/Users/actions/Save.php in Vtiger CRM 6.4.0 and earlier does not properly restrict user-save actions, which allows remote authenticated users to create or modify user accounts via unspecified vectors. | ||
| CVE-2016-1713 | Hig | 0.52 | 7.3 | 0.17 | Apr 14, 2017 | Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.4.0 allows remote authenticated users to execute arbitrary code by uploading a crafted image file with an… | ||
| CVE-2025-45753 | Hig | 0.47 | 7.2 | 0.00 | May 21, 2025 | A vulnerability in Vtiger CRM Open Source Edition v8.3.0 allows an attacker with admin privileges to execute arbitrary PHP code by exploiting the ZIP import functionality in the Module Import feature. | ||
| CVE-2024-42994 | Hig | 0.47 | 7.2 | 0.00 | Aug 16, 2024 | VTiger CRM <= 8.1.0 does not properly sanitize user input before using it in a SQL statement, leading to a SQL Injection in the "CompanyDetails" operation of the "MailManager" module. | ||
| CVE-2025-45755 | Med | 0.40 | 6.1 | 0.00 | May 21, 2025 | A Stored Cross-Site Scripting (XSS) vulnerability exists in Vtiger CRM Open Source Edition v8.3.0, exploitable via the Services Import feature. An attacker can craft a malicious CSV file containing an XSS payload, mapped to the Service Name field. When the file is uploaded, the… | ||
| CVE-2024-44776 | Med | 0.40 | 6.1 | 0.00 | Aug 29, 2024 | An Open Redirect vulnerability in the page parameter of vTiger CRM v7.4.0 allows attackers to redirect users to a malicious site via a crafted URL. | ||
| CVE-2018-8047 | Med | 0.40 | 6.1 | 0.01 | Jun 6, 2019 | vtiger CRM 7.0.1 is affected by one reflected Cross-Site Scripting (XSS) vulnerability affecting version 7.0.1 and probably prior versions. This vulnerability could allow remote unauthenticated attackers to inject arbitrary web script or HTML via… | ||
| CVE-2022-38335 | Med | 0.35 | 5.4 | 0.01 | Sep 27, 2022 | Vtiger CRM v7.4.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the e-mail template modules. | ||
| CVE-2025-1618 | Med | 0.28 | 4.3 | 0.00 | Feb 24, 2025 | A vulnerability has been found in vTiger CRM 6.4.0/6.5.0 and classified as problematic. This vulnerability affects unknown code of the file /modules/Mobile/index.php. The manipulation of the argument _operation leads to cross site scripting. The attack can be initiated remotely.… | ||
| CVE-2014-2268 | 0.05 | — | 0.31 | Nov 16, 2014 | views/Index.php in the Install module in vTiger 6.0 before Security Patch 2 does not properly restrict access, which allows remote attackers to re-install the application via a request that sets the X-Requested-With HTTP header, as demonstrated by executing arbitrary PHP code… |
- risk 0.73cvss 9.8epss 0.85
vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in 'vtigerolservice.php'.
- risk 0.64cvss 8.8epss 0.43
vTiger CRM 5.3 and 5.4: 'files' Upload Folder Arbitrary PHP Code Execution Vulnerability
- risk 0.63cvss 8.8epss 0.40
Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.3.0 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an…
- risk 0.62cvss 9.6epss 0.01
A reflected cross-site scripting (XSS) vulnerability in the tag parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.
- risk 0.57cvss 8.8epss 0.01
In Vtiger 7.x before 7.2.0, the My Preferences saving functionality allows a user without administrative privileges to change his own role by adding roleid=H2 to a POST request.
- risk 0.57cvss 8.8epss 0.01
modules/Calendar/Activity.php in Vtiger CRM 6.5.0 allows SQL injection via the contactidlist parameter.
- risk 0.57cvss 8.8epss 0.01
SQL injection vulnerability in Vtiger CRM before 7.1.0 hotfix3 allows authenticated users to execute arbitrary SQL commands.
- risk 0.56cvss 8.1epss 0.08
vtiger CRM 5.4.0 and earlier contain local file-include vulnerabilities in 'customerportal.php' which allows remote attackers to view files and execute local script code.
- risk 0.54cvss 8.3epss 0.00
VTiger CRM <= 8.1.0 does not correctly check user privileges. A low-privileged user can interact directly with the "Migration" administrative module to disable arbitrary modules.
- risk 0.53cvss 8.1epss 0.02
modules/Users/models/Module.php in Vtiger CRM 7.5.0 allows a remote authenticated attacker to run arbitrary PHP code because an unprotected endpoint allows them to write this code to the config.inc.php file (executed on every page load).
- risk 0.53cvss 8.1epss 0.02
modules/Users/actions/Save.php in Vtiger CRM 6.4.0 and earlier does not properly restrict user-save actions, which allows remote authenticated users to create or modify user accounts via unspecified vectors.
- risk 0.52cvss 7.3epss 0.17
Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.4.0 allows remote authenticated users to execute arbitrary code by uploading a crafted image file with an…
- risk 0.47cvss 7.2epss 0.00
A vulnerability in Vtiger CRM Open Source Edition v8.3.0 allows an attacker with admin privileges to execute arbitrary PHP code by exploiting the ZIP import functionality in the Module Import feature.
- risk 0.47cvss 7.2epss 0.00
VTiger CRM <= 8.1.0 does not properly sanitize user input before using it in a SQL statement, leading to a SQL Injection in the "CompanyDetails" operation of the "MailManager" module.
- risk 0.40cvss 6.1epss 0.00
A Stored Cross-Site Scripting (XSS) vulnerability exists in Vtiger CRM Open Source Edition v8.3.0, exploitable via the Services Import feature. An attacker can craft a malicious CSV file containing an XSS payload, mapped to the Service Name field. When the file is uploaded, the…
- risk 0.40cvss 6.1epss 0.00
An Open Redirect vulnerability in the page parameter of vTiger CRM v7.4.0 allows attackers to redirect users to a malicious site via a crafted URL.
- risk 0.40cvss 6.1epss 0.01
vtiger CRM 7.0.1 is affected by one reflected Cross-Site Scripting (XSS) vulnerability affecting version 7.0.1 and probably prior versions. This vulnerability could allow remote unauthenticated attackers to inject arbitrary web script or HTML via…
- risk 0.35cvss 5.4epss 0.01
Vtiger CRM v7.4.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the e-mail template modules.
- risk 0.28cvss 4.3epss 0.00
A vulnerability has been found in vTiger CRM 6.4.0/6.5.0 and classified as problematic. This vulnerability affects unknown code of the file /modules/Mobile/index.php. The manipulation of the argument _operation leads to cross site scripting. The attack can be initiated remotely.…
- CVE-2014-2268Nov 16, 2014risk 0.05cvss —epss 0.31
views/Index.php in the Install module in vTiger 6.0 before Security Patch 2 does not properly restrict access, which allows remote attackers to re-install the application via a request that sets the X-Requested-With HTTP header, as demonstrated by executing arbitrary PHP code…
Page 1 of 3