Vendor CVEs
Rukovoditel
All CVEs
76 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-35987 | Med | 0.35 | 5.4 | 0.01 | Jul 9, 2021 | A stored cross site scripting (XSS) vulnerability in the 'Entities List' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter. | ||
| CVE-2020-35986 | Med | 0.35 | 5.4 | 0.01 | Jul 9, 2021 | A stored cross site scripting (XSS) vulnerability in the 'Users Access Groups' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter. | ||
| CVE-2020-35985 | Med | 0.35 | 5.4 | 0.01 | Jul 9, 2021 | A stored cross site scripting (XSS) vulnerability in the 'Global Lists" feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter. | ||
| CVE-2020-35984 | Med | 0.35 | 5.4 | 0.01 | Jul 9, 2021 | A stored cross site scripting (XSS) vulnerability in the 'Users Alerts' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Title' parameter. | ||
| CVE-2020-11821 | Med | 0.35 | 5.3 | 0.01 | Apr 27, 2020 | In Rukovoditel 2.5.2, users' passwords and usernames are stored in a cookie with URL encoding, base64 encoding, and hashing. Thus, an attacker can easily apply brute force on them. | ||
| CVE-2020-11813 | Med | 0.35 | 5.4 | 0.01 | Apr 16, 2020 | In Rukovoditel 2.5.2, there is a stored XSS vulnerability on the configuration page via the copyright text input. Thus, an attacker can inject a malicious script to steal all users' valuable data. This copyright text is on every page so this attack vector can be very dangerous. | ||
| CVE-2025-27430 | Low | 0.23 | 3.5 | 0.00 | Mar 11, 2025 | Under certain conditions, an SSRF vulnerability in SAP CRM and SAP S/4HANA (Interaction Center) allows an attacker with low privileges to access restricted information. This flaw enables the attacker to send requests to internal network resources, thereby compromising the… | ||
| CVE-2023-46304 | 0.02 | — | 0.02 | Apr 30, 2024 | modules/Users/models/Module.php in Vtiger CRM 7.5.0 allows a remote authenticated attacker to run arbitrary PHP code because an unprotected endpoint allows them to write this code to the config.inc.php file (executed on every page load). | |||
| CVE-2026-26720 | 0.00 | — | 0.01 | Mar 2, 2026 | An issue in Twenty CRM v1.15.0 and before allows a remote attacker to execute arbitrary code via the local.driver.ts module. | |||
| CVE-2026-0488 | 0.00 | — | 0.00 | Feb 10, 2026 | An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads to a full database… | |||
| CVE-2023-53913 | 0.00 | — | 0.01 | Dec 17, 2025 | Rukovoditel 3.3.1 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into the firstname field. Attackers can craft payloads like =calc|a!z| to trigger code execution when an admin exports customer data as a CSV file. | |||
| CVE-2023-53898 | 0.00 | — | 0.00 | Dec 16, 2025 | Rukovoditel 3.4.1 contains a stored cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts. Attackers can insert iframe and script payloads in application copyright text to execute arbitrary JavaScript in victim browsers. | |||
| CVE-2023-53897 | 0.00 | — | 0.00 | Dec 16, 2025 | Rukovoditel 3.4.1 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts. Attackers can insert XSS payloads in project task comments to execute arbitrary JavaScript in victim browsers. | |||
| CVE-2025-10345 | 0.00 | — | 0.00 | Sep 29, 2025 | HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameters 'name' and 'address' at the endpoint 'admin/leads/lead'. | |||
| CVE-2025-10344 | 0.00 | — | 0.00 | Sep 29, 2025 | HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameters 'name' and 'clientid' at the endpoint '/projects/project/x'. | |||
| CVE-2025-10343 | 0.00 | — | 0.00 | Sep 29, 2025 | HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameter 'expense_name' at the endpoint '/expenses/expense'. | |||
| CVE-2025-10342 | 0.00 | — | 0.00 | Sep 29, 2025 | HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameter 'name' at the endpoint '/subscriptions/create'. | |||
| CVE-2025-10341 | 0.00 | — | 0.00 | Sep 29, 2025 | HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameter 'company' at the endpoint '/clients/client/x. | |||
| CVE-2025-5152 | 0.00 | — | 0.00 | May 25, 2025 | A vulnerability classified as critical was found in Chanjet CRM up to 20250510. This vulnerability affects unknown code of the file /activity/newActivityedit.php?DontCheckLogin=1&id=null&ret=mod1. The manipulation of the argument gblOrgID leads to sql injection. The attack can… | |||
| CVE-2025-1618 | 0.00 | — | 0.00 | Feb 24, 2025 | A vulnerability has been found in vTiger CRM 6.4.0/6.5.0 and classified as problematic. This vulnerability affects unknown code of the file /modules/Mobile/index.php. The manipulation of the argument _operation leads to cross site scripting. The attack can be initiated remotely.… | |||
| CVE-2024-54687 | 0.00 | — | 0.00 | Jan 10, 2025 | Vtiger CRM v.6.1 and before is vulnerable to Cross Site Scripting (XSS) via the Documents module and function uploadAndSaveFile in CRMEntity.php. | |||
| CVE-2024-48119 | 0.00 | — | 0.00 | Oct 14, 2024 | Vtiger CRM v8.2.0 has a HTML Injection vulnerability in the module parameter. Authenticated users can inject arbitrary HTML. | |||
| CVE-2024-44779 | 0.00 | — | 0.01 | Aug 29, 2024 | A reflected cross-site scripting (XSS) vulnerability in the viewname parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload. | |||
| CVE-2024-42995 | 0.00 | — | 0.00 | Aug 16, 2024 | VTiger CRM <= 8.1.0 does not correctly check user privileges. A low-privileged user can interact directly with the "Migration" administrative module to disable arbitrary modules. | |||
| CVE-2024-34468 | 0.00 | — | 0.00 | May 4, 2024 | Rukovoditel before 3.5.3 allows XSS via user_photo to My Page. | |||
| CVE-2024-34469 | 0.00 | — | 0.01 | May 4, 2024 | Rukovoditel before 3.5.3 allows XSS via user_photo to index.php?module=users/registration&action=save. |
- risk 0.35cvss 5.4epss 0.01
A stored cross site scripting (XSS) vulnerability in the 'Entities List' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter.
- risk 0.35cvss 5.4epss 0.01
A stored cross site scripting (XSS) vulnerability in the 'Users Access Groups' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter.
- risk 0.35cvss 5.4epss 0.01
A stored cross site scripting (XSS) vulnerability in the 'Global Lists" feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter.
- risk 0.35cvss 5.4epss 0.01
A stored cross site scripting (XSS) vulnerability in the 'Users Alerts' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Title' parameter.
- risk 0.35cvss 5.3epss 0.01
In Rukovoditel 2.5.2, users' passwords and usernames are stored in a cookie with URL encoding, base64 encoding, and hashing. Thus, an attacker can easily apply brute force on them.
- risk 0.35cvss 5.4epss 0.01
In Rukovoditel 2.5.2, there is a stored XSS vulnerability on the configuration page via the copyright text input. Thus, an attacker can inject a malicious script to steal all users' valuable data. This copyright text is on every page so this attack vector can be very dangerous.
- risk 0.23cvss 3.5epss 0.00
Under certain conditions, an SSRF vulnerability in SAP CRM and SAP S/4HANA (Interaction Center) allows an attacker with low privileges to access restricted information. This flaw enables the attacker to send requests to internal network resources, thereby compromising the…
- CVE-2023-46304Apr 30, 2024risk 0.02cvss —epss 0.02
modules/Users/models/Module.php in Vtiger CRM 7.5.0 allows a remote authenticated attacker to run arbitrary PHP code because an unprotected endpoint allows them to write this code to the config.inc.php file (executed on every page load).
- CVE-2026-26720Mar 2, 2026risk 0.00cvss —epss 0.01
An issue in Twenty CRM v1.15.0 and before allows a remote attacker to execute arbitrary code via the local.driver.ts module.
- CVE-2026-0488Feb 10, 2026risk 0.00cvss —epss 0.00
An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads to a full database…
- CVE-2023-53913Dec 17, 2025risk 0.00cvss —epss 0.01
Rukovoditel 3.3.1 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into the firstname field. Attackers can craft payloads like =calc|a!z| to trigger code execution when an admin exports customer data as a CSV file.
- CVE-2023-53898Dec 16, 2025risk 0.00cvss —epss 0.00
Rukovoditel 3.4.1 contains a stored cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts. Attackers can insert iframe and script payloads in application copyright text to execute arbitrary JavaScript in victim browsers.
- CVE-2023-53897Dec 16, 2025risk 0.00cvss —epss 0.00
Rukovoditel 3.4.1 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts. Attackers can insert XSS payloads in project task comments to execute arbitrary JavaScript in victim browsers.
- CVE-2025-10345Sep 29, 2025risk 0.00cvss —epss 0.00
HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameters 'name' and 'address' at the endpoint 'admin/leads/lead'.
- CVE-2025-10344Sep 29, 2025risk 0.00cvss —epss 0.00
HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameters 'name' and 'clientid' at the endpoint '/projects/project/x'.
- CVE-2025-10343Sep 29, 2025risk 0.00cvss —epss 0.00
HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameter 'expense_name' at the endpoint '/expenses/expense'.
- CVE-2025-10342Sep 29, 2025risk 0.00cvss —epss 0.00
HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameter 'name' at the endpoint '/subscriptions/create'.
- CVE-2025-10341Sep 29, 2025risk 0.00cvss —epss 0.00
HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameter 'company' at the endpoint '/clients/client/x.
- CVE-2025-5152May 25, 2025risk 0.00cvss —epss 0.00
A vulnerability classified as critical was found in Chanjet CRM up to 20250510. This vulnerability affects unknown code of the file /activity/newActivityedit.php?DontCheckLogin=1&id=null&ret=mod1. The manipulation of the argument gblOrgID leads to sql injection. The attack can…
- CVE-2025-1618Feb 24, 2025risk 0.00cvss —epss 0.00
A vulnerability has been found in vTiger CRM 6.4.0/6.5.0 and classified as problematic. This vulnerability affects unknown code of the file /modules/Mobile/index.php. The manipulation of the argument _operation leads to cross site scripting. The attack can be initiated remotely.…
- CVE-2024-54687Jan 10, 2025risk 0.00cvss —epss 0.00
Vtiger CRM v.6.1 and before is vulnerable to Cross Site Scripting (XSS) via the Documents module and function uploadAndSaveFile in CRMEntity.php.
- CVE-2024-48119Oct 14, 2024risk 0.00cvss —epss 0.00
Vtiger CRM v8.2.0 has a HTML Injection vulnerability in the module parameter. Authenticated users can inject arbitrary HTML.
- CVE-2024-44779Aug 29, 2024risk 0.00cvss —epss 0.01
A reflected cross-site scripting (XSS) vulnerability in the viewname parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.
- CVE-2024-42995Aug 16, 2024risk 0.00cvss —epss 0.00
VTiger CRM <= 8.1.0 does not correctly check user privileges. A low-privileged user can interact directly with the "Migration" administrative module to disable arbitrary modules.
- CVE-2024-34468May 4, 2024risk 0.00cvss —epss 0.00
Rukovoditel before 3.5.3 allows XSS via user_photo to My Page.
- CVE-2024-34469May 4, 2024risk 0.00cvss —epss 0.01
Rukovoditel before 3.5.3 allows XSS via user_photo to index.php?module=users/registration&action=save.
Page 2 of 2