VYPR

Vendor CVEs

Rukovoditel

All CVEs

76 total · sorted by risk
  • CVE-2020-35987MedJul 9, 2021
    risk 0.35cvss 5.4epss 0.01

    A stored cross site scripting (XSS) vulnerability in the 'Entities List' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter.

  • CVE-2020-35986MedJul 9, 2021
    risk 0.35cvss 5.4epss 0.01

    A stored cross site scripting (XSS) vulnerability in the 'Users Access Groups' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter.

  • CVE-2020-35985MedJul 9, 2021
    risk 0.35cvss 5.4epss 0.01

    A stored cross site scripting (XSS) vulnerability in the 'Global Lists" feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter.

  • CVE-2020-35984MedJul 9, 2021
    risk 0.35cvss 5.4epss 0.01

    A stored cross site scripting (XSS) vulnerability in the 'Users Alerts' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Title' parameter.

  • CVE-2020-11821MedApr 27, 2020
    risk 0.35cvss 5.3epss 0.01

    In Rukovoditel 2.5.2, users' passwords and usernames are stored in a cookie with URL encoding, base64 encoding, and hashing. Thus, an attacker can easily apply brute force on them.

  • CVE-2020-11813MedApr 16, 2020
    risk 0.35cvss 5.4epss 0.01

    In Rukovoditel 2.5.2, there is a stored XSS vulnerability on the configuration page via the copyright text input. Thus, an attacker can inject a malicious script to steal all users' valuable data. This copyright text is on every page so this attack vector can be very dangerous.

  • CVE-2025-27430LowMar 11, 2025
    risk 0.23cvss 3.5epss 0.00

    Under certain conditions, an SSRF vulnerability in SAP CRM and SAP S/4HANA (Interaction Center) allows an attacker with low privileges to access restricted information. This flaw enables the attacker to send requests to internal network resources, thereby compromising the…

  • CVE-2023-46304Apr 30, 2024
    risk 0.02cvss epss 0.02

    modules/Users/models/Module.php in Vtiger CRM 7.5.0 allows a remote authenticated attacker to run arbitrary PHP code because an unprotected endpoint allows them to write this code to the config.inc.php file (executed on every page load).

  • CVE-2026-26720Mar 2, 2026
    risk 0.00cvss epss 0.01

    An issue in Twenty CRM v1.15.0 and before allows a remote attacker to execute arbitrary code via the local.driver.ts module.

  • CVE-2026-0488Feb 10, 2026
    risk 0.00cvss epss 0.00

    An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads to a full database…

  • CVE-2023-53913Dec 17, 2025
    risk 0.00cvss epss 0.01

    Rukovoditel 3.3.1 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into the firstname field. Attackers can craft payloads like =calc|a!z| to trigger code execution when an admin exports customer data as a CSV file.

  • CVE-2023-53898Dec 16, 2025
    risk 0.00cvss epss 0.00

    Rukovoditel 3.4.1 contains a stored cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts. Attackers can insert iframe and script payloads in application copyright text to execute arbitrary JavaScript in victim browsers.

  • CVE-2023-53897Dec 16, 2025
    risk 0.00cvss epss 0.00

    Rukovoditel 3.4.1 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts. Attackers can insert XSS payloads in project task comments to execute arbitrary JavaScript in victim browsers.

  • CVE-2025-10345Sep 29, 2025
    risk 0.00cvss epss 0.00

    HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameters 'name' and 'address' at the endpoint 'admin/leads/lead'.

  • CVE-2025-10344Sep 29, 2025
    risk 0.00cvss epss 0.00

    HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameters 'name' and 'clientid' at the endpoint '/projects/project/x'.

  • CVE-2025-10343Sep 29, 2025
    risk 0.00cvss epss 0.00

    HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameter 'expense_name' at the endpoint '/expenses/expense'.

  • CVE-2025-10342Sep 29, 2025
    risk 0.00cvss epss 0.00

    HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameter 'name' at the endpoint '/subscriptions/create'.

  • CVE-2025-10341Sep 29, 2025
    risk 0.00cvss epss 0.00

    HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameter 'company' at the endpoint '/clients/client/x.

  • CVE-2025-5152May 25, 2025
    risk 0.00cvss epss 0.00

    A vulnerability classified as critical was found in Chanjet CRM up to 20250510. This vulnerability affects unknown code of the file /activity/newActivityedit.php?DontCheckLogin=1&id=null&ret=mod1. The manipulation of the argument gblOrgID leads to sql injection. The attack can…

  • CVE-2025-1618Feb 24, 2025
    risk 0.00cvss epss 0.00

    A vulnerability has been found in vTiger CRM 6.4.0/6.5.0 and classified as problematic. This vulnerability affects unknown code of the file /modules/Mobile/index.php. The manipulation of the argument _operation leads to cross site scripting. The attack can be initiated remotely.…

  • CVE-2024-54687Jan 10, 2025
    risk 0.00cvss epss 0.00

    Vtiger CRM v.6.1 and before is vulnerable to Cross Site Scripting (XSS) via the Documents module and function uploadAndSaveFile in CRMEntity.php.

  • CVE-2024-48119Oct 14, 2024
    risk 0.00cvss epss 0.00

    Vtiger CRM v8.2.0 has a HTML Injection vulnerability in the module parameter. Authenticated users can inject arbitrary HTML.

  • CVE-2024-44779Aug 29, 2024
    risk 0.00cvss epss 0.01

    A reflected cross-site scripting (XSS) vulnerability in the viewname parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.

  • CVE-2024-42995Aug 16, 2024
    risk 0.00cvss epss 0.00

    VTiger CRM <= 8.1.0 does not correctly check user privileges. A low-privileged user can interact directly with the "Migration" administrative module to disable arbitrary modules.

  • CVE-2024-34468May 4, 2024
    risk 0.00cvss epss 0.00

    Rukovoditel before 3.5.3 allows XSS via user_photo to My Page.

  • CVE-2024-34469May 4, 2024
    risk 0.00cvss epss 0.01

    Rukovoditel before 3.5.3 allows XSS via user_photo to index.php?module=users/registration&action=save.

Page 2 of 2