VYPR

vTiger

by Vtiger

CVEs (42)

  • CVE-2014-1222Aug 12, 2014
    risk 0.04cvss epss 0.09

    Directory traversal vulnerability in kcfinder/browse.php in Vtiger CRM before 6.0.0 Security patch 1 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter in a download action. NOTE: it is likely that this issue is actually in the…

  • CVE-2009-3250Sep 18, 2009
    risk 0.04cvss epss 0.11

    The saveForwardAttachments procedure in the Compose Mail functionality in vtiger CRM 5.0.4 allows remote authenticated users to execute arbitrary code by composing an e-mail message with an attachment filename ending in (1) .php in installations based on certain Apache HTTP…

  • CVE-2013-5091Oct 4, 2013
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in CalendarCommon.php in vTiger CRM 5.4.0 and possibly earlier allows remote authenticated users to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php. NOTE: this issue might be a duplicate of CVE-2011-4559.

  • CVE-2012-4867Sep 6, 2012
    risk 0.03cvss epss 0.04

    Directory traversal vulnerability in modules/com_vtiger_workflow/sortfieldsjson.php in vtiger CRM 5.1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the module_name parameter.

  • CVE-2011-4670Dec 2, 2011
    risk 0.03cvss epss 0.03

    Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 5.2.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) viewname parameter in a CalendarAjax action, (2) activity_mode parameter in a DetailView action, (3) contact_id and (4)…

  • CVE-2009-3248Sep 18, 2009
    risk 0.03cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in the RSS module in vtiger CRM 5.0.4 allows remote attackers to hijack the authentication of Admin users for requests that modify the news feed system via the rssurl parameter in a Save action to index.php.

  • CVE-2009-3247Sep 18, 2009
    risk 0.03cvss epss 0.03

    Cross-site scripting (XSS) vulnerability in the Activities module in vtiger CRM 5.0.4 allows remote attackers to inject arbitrary web script or HTML via the action parameter to phprint.php. NOTE: the query_string vector is already covered by CVE-2008-3101.3.

  • CVE-2008-3101Sep 3, 2008
    risk 0.03cvss epss 0.04

    Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to inject arbitrary web script or HTML via (1) the parenttab parameter in an index action to the Products module, as reachable through index.php; (2) the user_password parameter in an…

  • CVE-2005-3818Nov 26, 2005
    risk 0.03cvss epss 0.05

    Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) various input fields, including the contact, lead, and first or last name fields, (2) the record parameter in a DetailView…

  • CVE-2014-2269Apr 22, 2014
    risk 0.01cvss epss 0.16

    modules/Users/ForgotPassword.php in vTiger 6.0 before Security Patch 2 allows remote attackers to reset the password for arbitrary users via a request containing the username, password, and confirmPassword parameters.

  • CVE-2013-7326Feb 14, 2014
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in vTiger CRM 5.4.0 allows remote attackers to inject arbitrary web script or HTML via the (1) return_url parameter to modules\com_vtiger_workflow\savetemplate.php, or unspecified vectors to (2) deletetask.php, (3) edittask.php, (4)…

  • CVE-2011-4680Dec 7, 2011
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in the customer portal in vtiger CRM before 5.2.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2010-3911Nov 26, 2010
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM before 5.2.1 allow remote attackers to inject arbitrary web script or HTML via (1) the username (aka default_user_name) field or (2) the password field in a Users Login action to index.php, or (3) the label…

  • CVE-2010-3909Nov 26, 2010
    risk 0.00cvss epss 0.02

    Incomplete blacklist vulnerability in config.template.php in vtiger CRM before 5.2.1 allows remote authenticated users to execute arbitrary code by using the draft save feature in the Compose Mail component to upload a file with a .phtml extension, and then accessing this file…

  • CVE-2009-3257Sep 18, 2009
    risk 0.00cvss epss 0.01

    vtiger CRM before 5.1.0 allows remote authenticated users to bypass the permissions on the (1) Account Billing Address and (2) Shipping Address fields in a profile by creating a Sales Order (SO) associated with that profile.

  • CVE-2007-3604Jul 6, 2007
    risk 0.00cvss epss 0.01

    vtiger CRM before 5.0.3 allows remote authenticated users with access to the Analytics DashBoard menu to bypass data restrictions and read the pipeline of the entire organization, possibly involving modules/Potentials/Potentials.php.

  • CVE-2007-3616Jul 6, 2007
    risk 0.00cvss epss 0.01

    index.php in vtiger CRM before 5.0.3 allows remote authenticated users to perform administrative changes to arbitrary profile settings via a certain profilePrivileges action in the Users module.

  • CVE-2007-3617Jul 6, 2007
    risk 0.00cvss epss 0.01

    The report module in vtiger CRM before 5.0.3 does not properly apply security rules, which allows remote authenticated users to read arbitrary private module entries.

  • CVE-2007-3600Jul 6, 2007
    risk 0.00cvss epss 0.02

    WordPlugin in the wordintegration component in vtiger CRM before 5.0.3 allows remote authenticated users to bypass field level security permissions and merge arbitrary fields in an Email template, as demonstrated by the fields in the Contact module.

  • CVE-2007-3603Jul 6, 2007
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in the dashboard (include/utils/SearchUtils.php) in vtiger CRM before 5.0.3 allows remote authenticated users to execute arbitrary SQL commands via the assigned_user_id parameter in a Potentials ListView action to index.php.