VYPR

Vendor CVEs

Vtiger

All CVEs

63 total · sorted by risk
  • CVE-2016-4834HigAug 1, 2016
    risk 0.53cvss 8.1epss 0.02

    modules/Users/actions/Save.php in Vtiger CRM 6.4.0 and earlier does not properly restrict user-save actions, which allows remote authenticated users to create or modify user accounts via unspecified vectors.

  • CVE-2016-1713HigApr 14, 2017
    risk 0.52cvss 7.3epss 0.17

    Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.4.0 allows remote authenticated users to execute arbitrary code by uploading a crafted image file with an…

  • CVE-2026-26460MedApr 13, 2026
    risk 0.40cvss 6.1epss 0.00

    A HTML Injection vulnerability exists in the Dashboard module of Vtiger CRM 8.4.0. The application fails to properly neutralize user-supplied input in the tabid parameter of the DashBoardTab view (getTabContents action), allowing an attacker to inject arbitrary HTML content into…

  • CVE-2015-6000Feb 6, 2020
    risk 0.09cvss epss 0.40

    Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.3.0 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an…

  • CVE-2014-2268Nov 16, 2014
    risk 0.05cvss epss 0.31

    views/Index.php in the Install module in vTiger 6.0 before Security Patch 2 does not properly restrict access, which allows remote attackers to re-install the application via a request that sets the X-Requested-With HTTP header, as demonstrated by executing arbitrary PHP code…

  • CVE-2019-5009Jan 4, 2019
    risk 0.04cvss epss 0.10

    Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension "php3" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using "<? ?>" tags, as demonstrated by a…

  • CVE-2014-1222Aug 12, 2014
    risk 0.04cvss epss 0.09

    Directory traversal vulnerability in kcfinder/browse.php in Vtiger CRM before 6.0.0 Security patch 1 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter in a download action. NOTE: it is likely that this issue is actually in the…

  • CVE-2009-3250Sep 18, 2009
    risk 0.04cvss epss 0.11

    The saveForwardAttachments procedure in the Compose Mail functionality in vtiger CRM 5.0.4 allows remote authenticated users to execute arbitrary code by composing an e-mail message with an attachment filename ending in (1) .php in installations based on certain Apache HTTP…

  • CVE-2009-3249Sep 18, 2009
    risk 0.04cvss epss 0.10

    Multiple directory traversal vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the module parameter to graph.php; or the (2) module or (3) file parameter to include/Ajax/CommonAjax.php, reachable…

  • CVE-2006-5289Oct 13, 2006
    risk 0.04cvss epss 0.08

    Multiple PHP remote file inclusion vulnerabilities in Vtiger CRM 4.2 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the calpath parameter to (1) modules/Calendar/admin/update.php, (2) modules/Calendar/admin/scheme.php, or (3)…

  • CVE-2013-3213Apr 2, 2014
    risk 0.03cvss epss 0.03

    Multiple SQL injection vulnerabilities in vTiger CRM 5.0.0 through 5.4.0 allow remote attackers to execute arbitrary SQL commands via the (1) picklist_name parameter in the get_picklists method to soap/customerportal.php, (2) where parameter in the get_tickets_list method to…

  • CVE-2013-5091Oct 4, 2013
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in CalendarCommon.php in vTiger CRM 5.4.0 and possibly earlier allows remote authenticated users to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php. NOTE: this issue might be a duplicate of CVE-2011-4559.

  • CVE-2012-4867Sep 6, 2012
    risk 0.03cvss epss 0.04

    Directory traversal vulnerability in modules/com_vtiger_workflow/sortfieldsjson.php in vtiger CRM 5.1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the module_name parameter.

  • CVE-2011-4670Dec 2, 2011
    risk 0.03cvss epss 0.03

    Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 5.2.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) viewname parameter in a CalendarAjax action, (2) activity_mode parameter in a DetailView action, (3) contact_id and (4)…

  • CVE-2011-4559Nov 28, 2011
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in the Calendar module in vTiger CRM 5.2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php.

  • CVE-2009-3248Sep 18, 2009
    risk 0.03cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in the RSS module in vtiger CRM 5.0.4 allows remote attackers to hijack the authentication of Admin users for requests that modify the news feed system via the rssurl parameter in a Save action to index.php.

  • CVE-2009-3247Sep 18, 2009
    risk 0.03cvss epss 0.03

    Cross-site scripting (XSS) vulnerability in the Activities module in vtiger CRM 5.0.4 allows remote attackers to inject arbitrary web script or HTML via the action parameter to phprint.php. NOTE: the query_string vector is already covered by CVE-2008-3101.3.

  • CVE-2008-3101Sep 3, 2008
    risk 0.03cvss epss 0.04

    Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to inject arbitrary web script or HTML via (1) the parenttab parameter in an index action to the Products module, as reachable through index.php; (2) the user_password parameter in an…

  • CVE-2005-3819Nov 26, 2005
    risk 0.03cvss epss 0.03

    Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary SQL commands and bypass authentication via the (1) user_name and (2) date parameter in the HelpDesk module.

  • CVE-2005-3818Nov 26, 2005
    risk 0.03cvss epss 0.05

    Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) various input fields, including the contact, lead, and first or last name fields, (2) the record parameter in a DetailView…

  • CVE-2014-2269Apr 22, 2014
    risk 0.01cvss epss 0.16

    modules/Users/ForgotPassword.php in vTiger 6.0 before Security Patch 2 allows remote attackers to reset the password for arbitrary users via a request containing the username, password, and confirmPassword parameters.

  • CVE-2010-3910Nov 26, 2010
    risk 0.01cvss epss 0.07

    Multiple directory traversal vulnerabilities in the return_application_language function in include/utils/utils.php in vtiger CRM before 5.2.1 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the lang_crm parameter to phprint.php or…

  • CVE-2025-45755May 21, 2025
    risk 0.00cvss epss 0.00

    A Stored Cross-Site Scripting (XSS) vulnerability exists in Vtiger CRM Open Source Edition v8.3.0, exploitable via the Services Import feature. An attacker can craft a malicious CSV file containing an XSS payload, mapped to the Service Name field. When the file is uploaded, the…

  • CVE-2025-45753May 21, 2025
    risk 0.00cvss epss 0.00

    A vulnerability in Vtiger CRM Open Source Edition v8.3.0 allows an attacker with admin privileges to execute arbitrary PHP code by exploiting the ZIP import functionality in the Module Import feature.

  • CVE-2024-54687Jan 10, 2025
    risk 0.00cvss epss 0.00

    Vtiger CRM v.6.1 and before is vulnerable to Cross Site Scripting (XSS) via the Documents module and function uploadAndSaveFile in CRMEntity.php.

  • CVE-2024-44778Aug 29, 2024
    risk 0.00cvss epss 0.01

    A reflected cross-site scripting (XSS) vulnerability in the parent parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.

  • CVE-2024-44777Aug 29, 2024
    risk 0.00cvss epss 0.01

    A reflected cross-site scripting (XSS) vulnerability in the tag parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.

  • CVE-2024-44776Aug 29, 2024
    risk 0.00cvss epss 0.00

    An Open Redirect vulnerability in the page parameter of vTiger CRM v7.4.0 allows attackers to redirect users to a malicious site via a crafted URL.

  • CVE-2024-42994Aug 16, 2024
    risk 0.00cvss epss 0.00

    VTiger CRM <= 8.1.0 does not properly sanitize user input before using it in a SQL statement, leading to a SQL Injection in the "CompanyDetails" operation of the "MailManager" module.

  • CVE-2023-38891Sep 14, 2023
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in Vtiger CRM v.7.5.0 allows a remote authenticated attacker to escalate privileges via the getQueryColumnsList function in ReportRun.php.

  • CVE-2022-38335Sep 27, 2022
    risk 0.00cvss epss 0.01

    Vtiger CRM v7.4.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the e-mail template modules.

  • CVE-2020-19363Jan 20, 2021
    risk 0.00cvss epss 0.04

    Vtiger CRM v7.2.0 allows an attacker to display hidden files, list directories by using /libraries and /layout directories.

  • CVE-2020-19362Jan 20, 2021
    risk 0.00cvss epss 0.01

    Reflected XSS in Vtiger CRM v7.2.0 in vtigercrm/index.php? through the view parameter can result in an attacker performing malicious actions to users who open a maliciously crafted link or third-party web page.

  • CVE-2019-19202Nov 21, 2019
    risk 0.00cvss epss 0.01

    In Vtiger 7.x before 7.2.0, the My Preferences saving functionality allows a user without administrative privileges to change his own role by adding roleid=H2 to a POST request.

  • CVE-2018-8047Jun 6, 2019
    risk 0.00cvss epss 0.01

    vtiger CRM 7.0.1 is affected by one reflected Cross-Site Scripting (XSS) vulnerability affecting version 7.0.1 and probably prior versions. This vulnerability could allow remote unauthenticated attackers to inject arbitrary web script or HTML via…

  • CVE-2016-10754May 24, 2019
    risk 0.00cvss epss 0.01

    modules/Calendar/Activity.php in Vtiger CRM 6.5.0 allows SQL injection via the contactidlist parameter.

  • CVE-2019-11057May 17, 2019
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in Vtiger CRM before 7.1.0 hotfix3 allows authenticated users to execute arbitrary SQL commands.

  • CVE-2013-7326Feb 14, 2014
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in vTiger CRM 5.4.0 allows remote attackers to inject arbitrary web script or HTML via the (1) return_url parameter to modules\com_vtiger_workflow\savetemplate.php, or unspecified vectors to (2) deletetask.php, (3) edittask.php, (4)…

  • CVE-2011-4680Dec 7, 2011
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in the customer portal in vtiger CRM before 5.2.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2011-4679Dec 7, 2011
    risk 0.00cvss epss 0.01

    vtiger CRM before 5.3.0 does not properly recognize the disabled status of a field in the Leads module, which allows remote authenticated users to bypass intended access restrictions by reading a previously created report.

  • CVE-2010-3911Nov 26, 2010
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM before 5.2.1 allow remote attackers to inject arbitrary web script or HTML via (1) the username (aka default_user_name) field or (2) the password field in a Users Login action to index.php, or (3) the label…

  • CVE-2010-3909Nov 26, 2010
    risk 0.00cvss epss 0.02

    Incomplete blacklist vulnerability in config.template.php in vtiger CRM before 5.2.1 allows remote authenticated users to execute arbitrary code by using the draft save feature in the Compose Mail component to upload a file with a .phtml extension, and then accessing this file…

  • CVE-2009-3258Sep 18, 2009
    risk 0.00cvss epss 0.02

    vtiger CRM before 5.1.0 allows remote authenticated users, with certain View privileges, to delete (1) attachments, (2) reports, (3) filters, (4) views, and (5) tickets; insert (6) attachments, (7) reports, (8) filters, (9) views, and (10) tickets; and edit (11) reports, (12)…

  • CVE-2009-3257Sep 18, 2009
    risk 0.00cvss epss 0.01

    vtiger CRM before 5.1.0 allows remote authenticated users to bypass the permissions on the (1) Account Billing Address and (2) Shipping Address fields in a profile by creating a Sales Order (SO) associated with that profile.

  • CVE-2009-3251Sep 18, 2009
    risk 0.00cvss epss 0.01

    include/utils/ListViewUtils.php in vtiger CRM before 5.1.0 allows remote authenticated users to bypass intended access restrictions and read the (1) visibility, (2) location, and (3) recurrence fields of a calendar via a custom view.

  • CVE-2008-3458Aug 4, 2008
    risk 0.00cvss epss 0.03

    Vtiger CRM before 5.0.4 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read mail merge templates via a direct request to the wordtemplatedownload directory.

  • CVE-2007-3598Jul 6, 2007
    risk 0.00cvss epss 0.01

    index.php in vtiger CRM before 5.0.3 allows remote authenticated users to obtain all users' names and e-mail addresses, and possibly change user settings, via a modified record parameter in a DetailView action to the Users module. NOTE: the vendor disputes the changing of…

  • CVE-2007-3601Jul 6, 2007
    risk 0.00cvss epss 0.01

    vtiger CRM before 5.0.3, when a migrated build is used, allows remote authenticated users to read certain other users' calendar activities via a (1) home page or (2) event list view.

  • CVE-2007-3616Jul 6, 2007
    risk 0.00cvss epss 0.01

    index.php in vtiger CRM before 5.0.3 allows remote authenticated users to perform administrative changes to arbitrary profile settings via a certain profilePrivileges action in the Users module.

  • CVE-2007-3600Jul 6, 2007
    risk 0.00cvss epss 0.02

    WordPlugin in the wordintegration component in vtiger CRM before 5.0.3 allows remote authenticated users to bypass field level security permissions and merge arbitrary fields in an Email template, as demonstrated by the fields in the Contact module.

Page 1 of 2