Vendor CVEs
Vtiger
All CVEs
63 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-4834 | Hig | 0.53 | 8.1 | 0.02 | Aug 1, 2016 | modules/Users/actions/Save.php in Vtiger CRM 6.4.0 and earlier does not properly restrict user-save actions, which allows remote authenticated users to create or modify user accounts via unspecified vectors. | ||
| CVE-2016-1713 | Hig | 0.52 | 7.3 | 0.17 | Apr 14, 2017 | Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.4.0 allows remote authenticated users to execute arbitrary code by uploading a crafted image file with an… | ||
| CVE-2026-26460 | Med | 0.40 | 6.1 | 0.00 | Apr 13, 2026 | A HTML Injection vulnerability exists in the Dashboard module of Vtiger CRM 8.4.0. The application fails to properly neutralize user-supplied input in the tabid parameter of the DashBoardTab view (getTabContents action), allowing an attacker to inject arbitrary HTML content into… | ||
| CVE-2015-6000 | 0.09 | — | 0.40 | Feb 6, 2020 | Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.3.0 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an… | |||
| CVE-2014-2268 | 0.05 | — | 0.31 | Nov 16, 2014 | views/Index.php in the Install module in vTiger 6.0 before Security Patch 2 does not properly restrict access, which allows remote attackers to re-install the application via a request that sets the X-Requested-With HTTP header, as demonstrated by executing arbitrary PHP code… | |||
| CVE-2019-5009 | 0.04 | — | 0.10 | Jan 4, 2019 | Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension "php3" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using "<? ?>" tags, as demonstrated by a… | |||
| CVE-2014-1222 | 0.04 | — | 0.09 | Aug 12, 2014 | Directory traversal vulnerability in kcfinder/browse.php in Vtiger CRM before 6.0.0 Security patch 1 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter in a download action. NOTE: it is likely that this issue is actually in the… | |||
| CVE-2009-3250 | 0.04 | — | 0.11 | Sep 18, 2009 | The saveForwardAttachments procedure in the Compose Mail functionality in vtiger CRM 5.0.4 allows remote authenticated users to execute arbitrary code by composing an e-mail message with an attachment filename ending in (1) .php in installations based on certain Apache HTTP… | |||
| CVE-2009-3249 | 0.04 | — | 0.10 | Sep 18, 2009 | Multiple directory traversal vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the module parameter to graph.php; or the (2) module or (3) file parameter to include/Ajax/CommonAjax.php, reachable… | |||
| CVE-2006-5289 | 0.04 | — | 0.08 | Oct 13, 2006 | Multiple PHP remote file inclusion vulnerabilities in Vtiger CRM 4.2 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the calpath parameter to (1) modules/Calendar/admin/update.php, (2) modules/Calendar/admin/scheme.php, or (3)… | |||
| CVE-2013-3213 | 0.03 | — | 0.03 | Apr 2, 2014 | Multiple SQL injection vulnerabilities in vTiger CRM 5.0.0 through 5.4.0 allow remote attackers to execute arbitrary SQL commands via the (1) picklist_name parameter in the get_picklists method to soap/customerportal.php, (2) where parameter in the get_tickets_list method to… | |||
| CVE-2013-5091 | 0.03 | — | 0.01 | Oct 4, 2013 | SQL injection vulnerability in CalendarCommon.php in vTiger CRM 5.4.0 and possibly earlier allows remote authenticated users to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php. NOTE: this issue might be a duplicate of CVE-2011-4559. | |||
| CVE-2012-4867 | 0.03 | — | 0.04 | Sep 6, 2012 | Directory traversal vulnerability in modules/com_vtiger_workflow/sortfieldsjson.php in vtiger CRM 5.1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the module_name parameter. | |||
| CVE-2011-4670 | 0.03 | — | 0.03 | Dec 2, 2011 | Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 5.2.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) viewname parameter in a CalendarAjax action, (2) activity_mode parameter in a DetailView action, (3) contact_id and (4)… | |||
| CVE-2011-4559 | 0.03 | — | 0.01 | Nov 28, 2011 | SQL injection vulnerability in the Calendar module in vTiger CRM 5.2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php. | |||
| CVE-2009-3248 | 0.03 | — | 0.01 | Sep 18, 2009 | Cross-site request forgery (CSRF) vulnerability in the RSS module in vtiger CRM 5.0.4 allows remote attackers to hijack the authentication of Admin users for requests that modify the news feed system via the rssurl parameter in a Save action to index.php. | |||
| CVE-2009-3247 | 0.03 | — | 0.03 | Sep 18, 2009 | Cross-site scripting (XSS) vulnerability in the Activities module in vtiger CRM 5.0.4 allows remote attackers to inject arbitrary web script or HTML via the action parameter to phprint.php. NOTE: the query_string vector is already covered by CVE-2008-3101.3. | |||
| CVE-2008-3101 | 0.03 | — | 0.04 | Sep 3, 2008 | Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to inject arbitrary web script or HTML via (1) the parenttab parameter in an index action to the Products module, as reachable through index.php; (2) the user_password parameter in an… | |||
| CVE-2005-3819 | 0.03 | — | 0.03 | Nov 26, 2005 | Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary SQL commands and bypass authentication via the (1) user_name and (2) date parameter in the HelpDesk module. | |||
| CVE-2005-3818 | 0.03 | — | 0.05 | Nov 26, 2005 | Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) various input fields, including the contact, lead, and first or last name fields, (2) the record parameter in a DetailView… | |||
| CVE-2014-2269 | 0.01 | — | 0.16 | Apr 22, 2014 | modules/Users/ForgotPassword.php in vTiger 6.0 before Security Patch 2 allows remote attackers to reset the password for arbitrary users via a request containing the username, password, and confirmPassword parameters. | |||
| CVE-2010-3910 | 0.01 | — | 0.07 | Nov 26, 2010 | Multiple directory traversal vulnerabilities in the return_application_language function in include/utils/utils.php in vtiger CRM before 5.2.1 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the lang_crm parameter to phprint.php or… | |||
| CVE-2025-45755 | 0.00 | — | 0.00 | May 21, 2025 | A Stored Cross-Site Scripting (XSS) vulnerability exists in Vtiger CRM Open Source Edition v8.3.0, exploitable via the Services Import feature. An attacker can craft a malicious CSV file containing an XSS payload, mapped to the Service Name field. When the file is uploaded, the… | |||
| CVE-2025-45753 | 0.00 | — | 0.00 | May 21, 2025 | A vulnerability in Vtiger CRM Open Source Edition v8.3.0 allows an attacker with admin privileges to execute arbitrary PHP code by exploiting the ZIP import functionality in the Module Import feature. | |||
| CVE-2024-54687 | 0.00 | — | 0.00 | Jan 10, 2025 | Vtiger CRM v.6.1 and before is vulnerable to Cross Site Scripting (XSS) via the Documents module and function uploadAndSaveFile in CRMEntity.php. | |||
| CVE-2024-44778 | 0.00 | — | 0.01 | Aug 29, 2024 | A reflected cross-site scripting (XSS) vulnerability in the parent parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload. | |||
| CVE-2024-44777 | 0.00 | — | 0.01 | Aug 29, 2024 | A reflected cross-site scripting (XSS) vulnerability in the tag parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload. | |||
| CVE-2024-44776 | 0.00 | — | 0.00 | Aug 29, 2024 | An Open Redirect vulnerability in the page parameter of vTiger CRM v7.4.0 allows attackers to redirect users to a malicious site via a crafted URL. | |||
| CVE-2024-42994 | 0.00 | — | 0.00 | Aug 16, 2024 | VTiger CRM <= 8.1.0 does not properly sanitize user input before using it in a SQL statement, leading to a SQL Injection in the "CompanyDetails" operation of the "MailManager" module. | |||
| CVE-2023-38891 | 0.00 | — | 0.01 | Sep 14, 2023 | SQL injection vulnerability in Vtiger CRM v.7.5.0 allows a remote authenticated attacker to escalate privileges via the getQueryColumnsList function in ReportRun.php. | |||
| CVE-2022-38335 | 0.00 | — | 0.01 | Sep 27, 2022 | Vtiger CRM v7.4.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the e-mail template modules. | |||
| CVE-2020-19363 | 0.00 | — | 0.04 | Jan 20, 2021 | Vtiger CRM v7.2.0 allows an attacker to display hidden files, list directories by using /libraries and /layout directories. | |||
| CVE-2020-19362 | 0.00 | — | 0.01 | Jan 20, 2021 | Reflected XSS in Vtiger CRM v7.2.0 in vtigercrm/index.php? through the view parameter can result in an attacker performing malicious actions to users who open a maliciously crafted link or third-party web page. | |||
| CVE-2019-19202 | 0.00 | — | 0.01 | Nov 21, 2019 | In Vtiger 7.x before 7.2.0, the My Preferences saving functionality allows a user without administrative privileges to change his own role by adding roleid=H2 to a POST request. | |||
| CVE-2018-8047 | 0.00 | — | 0.01 | Jun 6, 2019 | vtiger CRM 7.0.1 is affected by one reflected Cross-Site Scripting (XSS) vulnerability affecting version 7.0.1 and probably prior versions. This vulnerability could allow remote unauthenticated attackers to inject arbitrary web script or HTML via… | |||
| CVE-2016-10754 | 0.00 | — | 0.01 | May 24, 2019 | modules/Calendar/Activity.php in Vtiger CRM 6.5.0 allows SQL injection via the contactidlist parameter. | |||
| CVE-2019-11057 | 0.00 | — | 0.01 | May 17, 2019 | SQL injection vulnerability in Vtiger CRM before 7.1.0 hotfix3 allows authenticated users to execute arbitrary SQL commands. | |||
| CVE-2013-7326 | 0.00 | — | 0.02 | Feb 14, 2014 | Cross-site scripting (XSS) vulnerability in vTiger CRM 5.4.0 allows remote attackers to inject arbitrary web script or HTML via the (1) return_url parameter to modules\com_vtiger_workflow\savetemplate.php, or unspecified vectors to (2) deletetask.php, (3) edittask.php, (4)… | |||
| CVE-2011-4680 | 0.00 | — | 0.01 | Dec 7, 2011 | Multiple cross-site scripting (XSS) vulnerabilities in the customer portal in vtiger CRM before 5.2.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2011-4679 | 0.00 | — | 0.01 | Dec 7, 2011 | vtiger CRM before 5.3.0 does not properly recognize the disabled status of a field in the Leads module, which allows remote authenticated users to bypass intended access restrictions by reading a previously created report. | |||
| CVE-2010-3911 | 0.00 | — | 0.01 | Nov 26, 2010 | Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM before 5.2.1 allow remote attackers to inject arbitrary web script or HTML via (1) the username (aka default_user_name) field or (2) the password field in a Users Login action to index.php, or (3) the label… | |||
| CVE-2010-3909 | 0.00 | — | 0.02 | Nov 26, 2010 | Incomplete blacklist vulnerability in config.template.php in vtiger CRM before 5.2.1 allows remote authenticated users to execute arbitrary code by using the draft save feature in the Compose Mail component to upload a file with a .phtml extension, and then accessing this file… | |||
| CVE-2009-3258 | 0.00 | — | 0.02 | Sep 18, 2009 | vtiger CRM before 5.1.0 allows remote authenticated users, with certain View privileges, to delete (1) attachments, (2) reports, (3) filters, (4) views, and (5) tickets; insert (6) attachments, (7) reports, (8) filters, (9) views, and (10) tickets; and edit (11) reports, (12)… | |||
| CVE-2009-3257 | 0.00 | — | 0.01 | Sep 18, 2009 | vtiger CRM before 5.1.0 allows remote authenticated users to bypass the permissions on the (1) Account Billing Address and (2) Shipping Address fields in a profile by creating a Sales Order (SO) associated with that profile. | |||
| CVE-2009-3251 | 0.00 | — | 0.01 | Sep 18, 2009 | include/utils/ListViewUtils.php in vtiger CRM before 5.1.0 allows remote authenticated users to bypass intended access restrictions and read the (1) visibility, (2) location, and (3) recurrence fields of a calendar via a custom view. | |||
| CVE-2008-3458 | 0.00 | — | 0.03 | Aug 4, 2008 | Vtiger CRM before 5.0.4 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read mail merge templates via a direct request to the wordtemplatedownload directory. | |||
| CVE-2007-3598 | 0.00 | — | 0.01 | Jul 6, 2007 | index.php in vtiger CRM before 5.0.3 allows remote authenticated users to obtain all users' names and e-mail addresses, and possibly change user settings, via a modified record parameter in a DetailView action to the Users module. NOTE: the vendor disputes the changing of… | |||
| CVE-2007-3601 | 0.00 | — | 0.01 | Jul 6, 2007 | vtiger CRM before 5.0.3, when a migrated build is used, allows remote authenticated users to read certain other users' calendar activities via a (1) home page or (2) event list view. | |||
| CVE-2007-3616 | 0.00 | — | 0.01 | Jul 6, 2007 | index.php in vtiger CRM before 5.0.3 allows remote authenticated users to perform administrative changes to arbitrary profile settings via a certain profilePrivileges action in the Users module. | |||
| CVE-2007-3600 | 0.00 | — | 0.02 | Jul 6, 2007 | WordPlugin in the wordintegration component in vtiger CRM before 5.0.3 allows remote authenticated users to bypass field level security permissions and merge arbitrary fields in an Email template, as demonstrated by the fields in the Contact module. |
- risk 0.53cvss 8.1epss 0.02
modules/Users/actions/Save.php in Vtiger CRM 6.4.0 and earlier does not properly restrict user-save actions, which allows remote authenticated users to create or modify user accounts via unspecified vectors.
- risk 0.52cvss 7.3epss 0.17
Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.4.0 allows remote authenticated users to execute arbitrary code by uploading a crafted image file with an…
- risk 0.40cvss 6.1epss 0.00
A HTML Injection vulnerability exists in the Dashboard module of Vtiger CRM 8.4.0. The application fails to properly neutralize user-supplied input in the tabid parameter of the DashBoardTab view (getTabContents action), allowing an attacker to inject arbitrary HTML content into…
- CVE-2015-6000Feb 6, 2020risk 0.09cvss —epss 0.40
Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.3.0 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an…
- CVE-2014-2268Nov 16, 2014risk 0.05cvss —epss 0.31
views/Index.php in the Install module in vTiger 6.0 before Security Patch 2 does not properly restrict access, which allows remote attackers to re-install the application via a request that sets the X-Requested-With HTTP header, as demonstrated by executing arbitrary PHP code…
- CVE-2019-5009Jan 4, 2019risk 0.04cvss —epss 0.10
Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension "php3" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using "<? ?>" tags, as demonstrated by a…
- CVE-2014-1222Aug 12, 2014risk 0.04cvss —epss 0.09
Directory traversal vulnerability in kcfinder/browse.php in Vtiger CRM before 6.0.0 Security patch 1 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter in a download action. NOTE: it is likely that this issue is actually in the…
- CVE-2009-3250Sep 18, 2009risk 0.04cvss —epss 0.11
The saveForwardAttachments procedure in the Compose Mail functionality in vtiger CRM 5.0.4 allows remote authenticated users to execute arbitrary code by composing an e-mail message with an attachment filename ending in (1) .php in installations based on certain Apache HTTP…
- CVE-2009-3249Sep 18, 2009risk 0.04cvss —epss 0.10
Multiple directory traversal vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the module parameter to graph.php; or the (2) module or (3) file parameter to include/Ajax/CommonAjax.php, reachable…
- CVE-2006-5289Oct 13, 2006risk 0.04cvss —epss 0.08
Multiple PHP remote file inclusion vulnerabilities in Vtiger CRM 4.2 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the calpath parameter to (1) modules/Calendar/admin/update.php, (2) modules/Calendar/admin/scheme.php, or (3)…
- CVE-2013-3213Apr 2, 2014risk 0.03cvss —epss 0.03
Multiple SQL injection vulnerabilities in vTiger CRM 5.0.0 through 5.4.0 allow remote attackers to execute arbitrary SQL commands via the (1) picklist_name parameter in the get_picklists method to soap/customerportal.php, (2) where parameter in the get_tickets_list method to…
- CVE-2013-5091Oct 4, 2013risk 0.03cvss —epss 0.01
SQL injection vulnerability in CalendarCommon.php in vTiger CRM 5.4.0 and possibly earlier allows remote authenticated users to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php. NOTE: this issue might be a duplicate of CVE-2011-4559.
- CVE-2012-4867Sep 6, 2012risk 0.03cvss —epss 0.04
Directory traversal vulnerability in modules/com_vtiger_workflow/sortfieldsjson.php in vtiger CRM 5.1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the module_name parameter.
- CVE-2011-4670Dec 2, 2011risk 0.03cvss —epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 5.2.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) viewname parameter in a CalendarAjax action, (2) activity_mode parameter in a DetailView action, (3) contact_id and (4)…
- CVE-2011-4559Nov 28, 2011risk 0.03cvss —epss 0.01
SQL injection vulnerability in the Calendar module in vTiger CRM 5.2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php.
- CVE-2009-3248Sep 18, 2009risk 0.03cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in the RSS module in vtiger CRM 5.0.4 allows remote attackers to hijack the authentication of Admin users for requests that modify the news feed system via the rssurl parameter in a Save action to index.php.
- CVE-2009-3247Sep 18, 2009risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in the Activities module in vtiger CRM 5.0.4 allows remote attackers to inject arbitrary web script or HTML via the action parameter to phprint.php. NOTE: the query_string vector is already covered by CVE-2008-3101.3.
- CVE-2008-3101Sep 3, 2008risk 0.03cvss —epss 0.04
Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to inject arbitrary web script or HTML via (1) the parenttab parameter in an index action to the Products module, as reachable through index.php; (2) the user_password parameter in an…
- CVE-2005-3819Nov 26, 2005risk 0.03cvss —epss 0.03
Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary SQL commands and bypass authentication via the (1) user_name and (2) date parameter in the HelpDesk module.
- CVE-2005-3818Nov 26, 2005risk 0.03cvss —epss 0.05
Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) various input fields, including the contact, lead, and first or last name fields, (2) the record parameter in a DetailView…
- CVE-2014-2269Apr 22, 2014risk 0.01cvss —epss 0.16
modules/Users/ForgotPassword.php in vTiger 6.0 before Security Patch 2 allows remote attackers to reset the password for arbitrary users via a request containing the username, password, and confirmPassword parameters.
- CVE-2010-3910Nov 26, 2010risk 0.01cvss —epss 0.07
Multiple directory traversal vulnerabilities in the return_application_language function in include/utils/utils.php in vtiger CRM before 5.2.1 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the lang_crm parameter to phprint.php or…
- CVE-2025-45755May 21, 2025risk 0.00cvss —epss 0.00
A Stored Cross-Site Scripting (XSS) vulnerability exists in Vtiger CRM Open Source Edition v8.3.0, exploitable via the Services Import feature. An attacker can craft a malicious CSV file containing an XSS payload, mapped to the Service Name field. When the file is uploaded, the…
- CVE-2025-45753May 21, 2025risk 0.00cvss —epss 0.00
A vulnerability in Vtiger CRM Open Source Edition v8.3.0 allows an attacker with admin privileges to execute arbitrary PHP code by exploiting the ZIP import functionality in the Module Import feature.
- CVE-2024-54687Jan 10, 2025risk 0.00cvss —epss 0.00
Vtiger CRM v.6.1 and before is vulnerable to Cross Site Scripting (XSS) via the Documents module and function uploadAndSaveFile in CRMEntity.php.
- CVE-2024-44778Aug 29, 2024risk 0.00cvss —epss 0.01
A reflected cross-site scripting (XSS) vulnerability in the parent parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.
- CVE-2024-44777Aug 29, 2024risk 0.00cvss —epss 0.01
A reflected cross-site scripting (XSS) vulnerability in the tag parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.
- CVE-2024-44776Aug 29, 2024risk 0.00cvss —epss 0.00
An Open Redirect vulnerability in the page parameter of vTiger CRM v7.4.0 allows attackers to redirect users to a malicious site via a crafted URL.
- CVE-2024-42994Aug 16, 2024risk 0.00cvss —epss 0.00
VTiger CRM <= 8.1.0 does not properly sanitize user input before using it in a SQL statement, leading to a SQL Injection in the "CompanyDetails" operation of the "MailManager" module.
- CVE-2023-38891Sep 14, 2023risk 0.00cvss —epss 0.01
SQL injection vulnerability in Vtiger CRM v.7.5.0 allows a remote authenticated attacker to escalate privileges via the getQueryColumnsList function in ReportRun.php.
- CVE-2022-38335Sep 27, 2022risk 0.00cvss —epss 0.01
Vtiger CRM v7.4.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the e-mail template modules.
- CVE-2020-19363Jan 20, 2021risk 0.00cvss —epss 0.04
Vtiger CRM v7.2.0 allows an attacker to display hidden files, list directories by using /libraries and /layout directories.
- CVE-2020-19362Jan 20, 2021risk 0.00cvss —epss 0.01
Reflected XSS in Vtiger CRM v7.2.0 in vtigercrm/index.php? through the view parameter can result in an attacker performing malicious actions to users who open a maliciously crafted link or third-party web page.
- CVE-2019-19202Nov 21, 2019risk 0.00cvss —epss 0.01
In Vtiger 7.x before 7.2.0, the My Preferences saving functionality allows a user without administrative privileges to change his own role by adding roleid=H2 to a POST request.
- CVE-2018-8047Jun 6, 2019risk 0.00cvss —epss 0.01
vtiger CRM 7.0.1 is affected by one reflected Cross-Site Scripting (XSS) vulnerability affecting version 7.0.1 and probably prior versions. This vulnerability could allow remote unauthenticated attackers to inject arbitrary web script or HTML via…
- CVE-2016-10754May 24, 2019risk 0.00cvss —epss 0.01
modules/Calendar/Activity.php in Vtiger CRM 6.5.0 allows SQL injection via the contactidlist parameter.
- CVE-2019-11057May 17, 2019risk 0.00cvss —epss 0.01
SQL injection vulnerability in Vtiger CRM before 7.1.0 hotfix3 allows authenticated users to execute arbitrary SQL commands.
- CVE-2013-7326Feb 14, 2014risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in vTiger CRM 5.4.0 allows remote attackers to inject arbitrary web script or HTML via the (1) return_url parameter to modules\com_vtiger_workflow\savetemplate.php, or unspecified vectors to (2) deletetask.php, (3) edittask.php, (4)…
- CVE-2011-4680Dec 7, 2011risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in the customer portal in vtiger CRM before 5.2.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2011-4679Dec 7, 2011risk 0.00cvss —epss 0.01
vtiger CRM before 5.3.0 does not properly recognize the disabled status of a field in the Leads module, which allows remote authenticated users to bypass intended access restrictions by reading a previously created report.
- CVE-2010-3911Nov 26, 2010risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM before 5.2.1 allow remote attackers to inject arbitrary web script or HTML via (1) the username (aka default_user_name) field or (2) the password field in a Users Login action to index.php, or (3) the label…
- CVE-2010-3909Nov 26, 2010risk 0.00cvss —epss 0.02
Incomplete blacklist vulnerability in config.template.php in vtiger CRM before 5.2.1 allows remote authenticated users to execute arbitrary code by using the draft save feature in the Compose Mail component to upload a file with a .phtml extension, and then accessing this file…
- CVE-2009-3258Sep 18, 2009risk 0.00cvss —epss 0.02
vtiger CRM before 5.1.0 allows remote authenticated users, with certain View privileges, to delete (1) attachments, (2) reports, (3) filters, (4) views, and (5) tickets; insert (6) attachments, (7) reports, (8) filters, (9) views, and (10) tickets; and edit (11) reports, (12)…
- CVE-2009-3257Sep 18, 2009risk 0.00cvss —epss 0.01
vtiger CRM before 5.1.0 allows remote authenticated users to bypass the permissions on the (1) Account Billing Address and (2) Shipping Address fields in a profile by creating a Sales Order (SO) associated with that profile.
- CVE-2009-3251Sep 18, 2009risk 0.00cvss —epss 0.01
include/utils/ListViewUtils.php in vtiger CRM before 5.1.0 allows remote authenticated users to bypass intended access restrictions and read the (1) visibility, (2) location, and (3) recurrence fields of a calendar via a custom view.
- CVE-2008-3458Aug 4, 2008risk 0.00cvss —epss 0.03
Vtiger CRM before 5.0.4 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read mail merge templates via a direct request to the wordtemplatedownload directory.
- CVE-2007-3598Jul 6, 2007risk 0.00cvss —epss 0.01
index.php in vtiger CRM before 5.0.3 allows remote authenticated users to obtain all users' names and e-mail addresses, and possibly change user settings, via a modified record parameter in a DetailView action to the Users module. NOTE: the vendor disputes the changing of…
- CVE-2007-3601Jul 6, 2007risk 0.00cvss —epss 0.01
vtiger CRM before 5.0.3, when a migrated build is used, allows remote authenticated users to read certain other users' calendar activities via a (1) home page or (2) event list view.
- CVE-2007-3616Jul 6, 2007risk 0.00cvss —epss 0.01
index.php in vtiger CRM before 5.0.3 allows remote authenticated users to perform administrative changes to arbitrary profile settings via a certain profilePrivileges action in the Users module.
- CVE-2007-3600Jul 6, 2007risk 0.00cvss —epss 0.02
WordPlugin in the wordintegration component in vtiger CRM before 5.0.3 allows remote authenticated users to bypass field level security permissions and merge arbitrary fields in an Email template, as demonstrated by the fields in the Contact module.
Page 1 of 2