Lucene search

K

CRM Security Vulnerabilities

cve
cve

CVE-2023-0588

The Catalyst Connect Zoho CRM Client Portal WordPress plugin before 2.1.0 does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as...

6.1CVSS

6AI Score

0.001EPSS

2023-06-27 02:15 PM
22
cve
cve

CVE-2023-27427

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in NTZApps CRM Memberships plugin <= 1.6...

5.9CVSS

4.8AI Score

0.0005EPSS

2023-06-23 01:15 PM
21
cve
cve

CVE-2023-27429

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Automattic - Jetpack CRM team Jetpack CRM plugin <= 5.4.4...

5.9CVSS

4.8AI Score

0.0005EPSS

2023-06-21 02:15 PM
12
cve
cve

CVE-2023-2527

The Integration for Contact Form 7 and Zoho CRM, Bigin WordPress plugin before 1.2.4 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as...

4.8CVSS

5.7AI Score

0.001EPSS

2023-06-19 11:15 AM
19
cve
cve

CVE-2023-33568

An issue in Dolibarr 16 before 16.0.5 allows unauthenticated attackers to perform a database dump and access a company's entire customer file, prospects, suppliers, and employee information if a contact file...

7.5CVSS

7.3AI Score

0.506EPSS

2023-06-13 03:15 PM
37
cve
cve

CVE-2023-33986

SAP CRM ABAP (Grantor Management) - versions 700, 701, 702, 712, 713, 714, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker can cause limited impact on confidentiality and integrity of the...

6.1CVSS

6AI Score

0.001EPSS

2023-06-13 03:15 AM
11
cve
cve

CVE-2023-1430

The FluentCRM - Marketing Automation For WordPress plugin for WordPress is vulnerable to unauthorized modification of data in versions up to, and including, 2.7.40 due to the use of an MD5 hash without a salt to control subscriptions. This makes it possible for unauthenticated attackers to...

5.3CVSS

4.3AI Score

0.001EPSS

2023-06-09 06:15 AM
17
cve
cve

CVE-2023-2405

The CRM and Lead Management by vcita plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.6.2. This is due to missing nonce validation in the vcita-callback.php file. This makes it possible for unauthenticated attackers to modify the plugin's...

6.5CVSS

6.3AI Score

0.001EPSS

2023-06-03 05:15 AM
17
cve
cve

CVE-2023-2404

The CRM and Lead Management by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'email' parameter in versions up to, and including, 2.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with the...

6.4CVSS

5.2AI Score

0.001EPSS

2023-06-03 05:15 AM
17
cve
cve

CVE-2023-3058

A vulnerability was found in 07FLY CRM up to 1.2.0. It has been declared as problematic. This vulnerability affects unknown code of the component User Profile Handler. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public....

5.4CVSS

5.3AI Score

0.001EPSS

2023-06-02 01:15 PM
24
cve
cve

CVE-2023-2836

The CRM Perks Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form settings in versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...

4.8CVSS

4.9AI Score

0.001EPSS

2023-05-31 04:15 AM
20
cve
cve

CVE-2023-30253

Dolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase...

8.8CVSS

8.8AI Score

0.008EPSS

2023-05-29 09:15 PM
55
cve
cve

CVE-2023-2925

A vulnerability, which was classified as problematic, was found in Webkul krayin crm 1.2.4. This affects an unknown part of the file /admin/contacts/organizations/edit/2 of the component Edit Person Page. The manipulation of the argument Organization leads to cross site scripting. It is possible...

5.4CVSS

5.1AI Score

0.001EPSS

2023-05-27 09:15 AM
21
cve
cve

CVE-2023-25976

Cross-Site Request Forgery (CSRF) vulnerability in CRM Perks Integration for Contact Form 7 and Zoho CRM, Bigin plugin <= 1.2.2...

8.8CVSS

8.8AI Score

0.001EPSS

2023-05-26 12:15 PM
19
cve
cve

CVE-2023-2717

The Groundhogg plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.9.8. This is due to missing nonce validation on the 'enable_safe_mode' function. This makes it possible for unauthenticated attackers to enable safe mode, which disables all other.....

5.4CVSS

4.6AI Score

0.001EPSS

2023-05-20 03:15 AM
24
cve
cve

CVE-2023-2716

The Groundhogg plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'ajax_upload_file' function in versions up to, and including, 2.7.9.8. This makes it possible for authenticated attackers, with subscriber-level access....

5.4CVSS

5.5AI Score

0.001EPSS

2023-05-20 03:15 AM
22
cve
cve

CVE-2023-2735

The Groundhogg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gh_form' shortcode in versions up to, and including, 2.7.9.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

5.4CVSS

5.2AI Score

0.002EPSS

2023-05-20 03:15 AM
22
cve
cve

CVE-2023-2715

The Groundhogg plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'submit_ticket' function in versions up to, and including, 2.7.9.8. This makes it possible for authenticated attackers to create a support ticket that sends the website's....

4.3CVSS

4.6AI Score

0.001EPSS

2023-05-20 03:15 AM
28
cve
cve

CVE-2023-2736

The Groundhogg plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.9.8. This is due to missing nonce validation in the 'ajax_edit_contact' function. This makes it possible for authenticated attackers to receive the auto login link via shortcode...

8CVSS

7.4AI Score

0.002EPSS

2023-05-20 03:15 AM
21
cve
cve

CVE-2023-2714

The Groundhogg plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'check_license' functions in versions up to, and including, 2.7.9.8. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to...

4.3CVSS

5.2AI Score

0.002EPSS

2023-05-20 03:15 AM
22
cve
cve

CVE-2023-30742

SAP CRM (WebClient UI) - versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, WEBCUIF 700, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site...

6.1CVSS

5.9AI Score

0.001EPSS

2023-05-09 02:15 AM
12
cve
cve

CVE-2023-29188

SAP CRM WebClient UI - versions SAPSCORE 129, S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS)...

5.4CVSS

5.2AI Score

0.001EPSS

2023-05-09 01:15 AM
15
cve
cve

CVE-2022-44582

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Apptivo Apptivo Business Site CRM plugin <= 3.0.12...

4.8CVSS

4.8AI Score

0.0005EPSS

2023-04-23 09:15 AM
16
cve
cve

CVE-2023-21909

Vulnerability in the Siebel CRM product of Oracle Siebel CRM (component: UI Framework). Supported versions that are affected are 23.3 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Siebel CRM. Successful attacks of this...

6.5CVSS

6.5AI Score

0.001EPSS

2023-04-18 08:15 PM
22
cve
cve

CVE-2023-29189

SAP CRM (WebClient UI) - versions S4FND 102, 103, 104, 105, 106, 107, WEBCUIF, 700, 701, 731, 730, 746, 747, 748, 800, 801, allows an authenticated attacker to modify HTTP verbs used in requests to the web server. This application is exposed over the network and successful exploitation can lead to....

5.4CVSS

5.3AI Score

0.001EPSS

2023-04-11 04:16 AM
19
cve
cve

CVE-2023-27897

In SAP CRM - versions 700, 701, 702, 712, 713, an attacker who is authenticated with a non-administrative role and a common remote execution authorization can use a vulnerable interface to execute an application function to perform actions which they would not normally be permitted to perform....

6.3CVSS

6.4AI Score

0.001EPSS

2023-04-11 03:15 AM
16
cve
cve

CVE-2023-1425

The WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg WordPress plugin before 2.7.9.4 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as...

7.2CVSS

7.4AI Score

0.001EPSS

2023-04-10 02:15 PM
27
cve
cve

CVE-2023-1060

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in YKM YKM CRM allows Reflected XSS.This issue affects YKM CRM: before...

6.1CVSS

6.3AI Score

0.001EPSS

2023-03-31 10:15 AM
17
cve
cve

CVE-2023-24525

SAP CRM WebClient UI - versions WEBCUIF 748, 800, 801, S4FND 102, 103, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. On successful exploitation an authenticated attacker can cause limited impact on confidentiality of the...

5.4CVSS

5.2AI Score

0.001EPSS

2023-02-14 04:15 AM
23
cve
cve

CVE-2022-48082

Easyone CRM v5.50.02 was discovered to contain a SQL Injection vulnerability via the text parameter at...

9.8CVSS

9.7AI Score

0.001EPSS

2023-02-02 09:22 PM
22
cve
cve

CVE-2022-47073

A cross-site scripting (XSS) vulnerability in the Create Ticket page of Small CRM v3.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Subject...

5.4CVSS

5.3AI Score

0.001EPSS

2023-01-26 09:18 PM
16
cve
cve

CVE-2022-38467

Reflected Cross-Site Scripting (XSS) vulnerability in CRM Perks Forms – WordPress Form Builder <= 1.1.0...

6.1CVSS

6AI Score

0.001EPSS

2023-01-14 11:15 AM
27
cve
cve

CVE-2022-46610

72crm v9 was discovered to contain an arbitrary file upload vulnerability via the avatar upload function. This vulnerability allows attackers to execute arbitrary code via a crafted PHP...

8.8CVSS

8.9AI Score

0.001EPSS

2023-01-10 02:15 PM
20
cve
cve

CVE-2022-4497

The Jetpack CRM WordPress plugin before 5.5 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege...

5.4CVSS

5.3AI Score

0.001EPSS

2023-01-09 11:15 PM
37
cve
cve

CVE-2021-30134

php-mod/curl (a wrapper of the PHP cURL extension) before 2.3.2 allows XSS via the post_file_path_upload.php key parameter and the POST data to...

6.1CVSS

5.9AI Score

0.001EPSS

2022-12-26 07:15 AM
47
cve
cve

CVE-2022-43271

Inhabit Systems Pty Ltd Move CRM version 4, build 260 was discovered to contain a cross-site scripting (XSS) vulnerability via the User profile...

5.4CVSS

5.3AI Score

0.001EPSS

2022-12-22 02:15 AM
26
cve
cve

CVE-2022-3919

The Jetpack CRM WordPress plugin before 5.4.3 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is...

4.8CVSS

4.8AI Score

0.001EPSS

2022-12-12 06:15 PM
30
cve
cve

CVE-2022-4093

SQL injection attacks can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. Many high-profile data breaches in recent years have been the result of SQL injection attacks, leading to reputational damage and regulatory fines. In...

9.8CVSS

9.4AI Score

0.002EPSS

2022-11-21 05:15 AM
44
14
cve
cve

CVE-2022-43138

Dolibarr Open Source ERP & CRM for Business before v14.0.1 allows attackers to escalate privileges via a crafted...

9.8CVSS

9.3AI Score

0.018EPSS

2022-11-17 05:15 PM
41
6
cve
cve

CVE-2022-41978

Auth. (subscriber+) Arbitrary Options Update vulnerability in Zoho CRM Lead Magnet plugin <= 1.7.5.8 on...

8.8CVSS

6.4AI Score

0.001EPSS

2022-11-09 04:15 PM
29
5
cve
cve

CVE-2021-40303

perfex crm 1.10 is vulnerable to Cross Site Scripting (XSS) via...

5.4CVSS

5.3AI Score

0.001EPSS

2022-11-08 06:15 PM
31
5
cve
cve

CVE-2022-40871

Dolibarr ERP & CRM <=15.0.3 is vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if successfully added, malicious code can be inserted into the database and then execute it by...

9.8CVSS

9.6AI Score

0.003EPSS

2022-10-12 12:15 PM
47
4
cve
cve

CVE-2009-3257

vtiger CRM before 5.1.0 allows remote authenticated users to bypass the permissions on the (1) Account Billing Address and (2) Shipping Address fields in a profile by creating a Sales Order (SO) associated with that...

6.3AI Score

0.001EPSS

2022-10-03 04:23 PM
27
cve
cve

CVE-2009-3251

include/utils/ListViewUtils.php in vtiger CRM before 5.1.0 allows remote authenticated users to bypass intended access restrictions and read the (1) visibility, (2) location, and (3) recurrence fields of a calendar via a custom...

6.2AI Score

0.001EPSS

2022-10-03 04:23 PM
21
cve
cve

CVE-2009-3258

vtiger CRM before 5.1.0 allows remote authenticated users, with certain View privileges, to delete (1) attachments, (2) reports, (3) filters, (4) views, and (5) tickets; insert (6) attachments, (7) reports, (8) filters, (9) views, and (10) tickets; and edit (11) reports, (12) filters, (13) views,.....

6.3AI Score

0.002EPSS

2022-10-03 04:23 PM
21
cve
cve

CVE-2017-17971

The test_sql_and_script_inject function in htdocs/main.inc.php in Dolibarr ERP/CRM 6.0.4 blocks some event attributes but neither onclick nor onscroll, which allows...

6.1CVSS

6.1AI Score

0.001EPSS

2022-10-03 04:23 PM
27
2
cve
cve

CVE-2017-18004

Zurmo 3.2.3 allows XSS via the latitude or longitude parameter to...

5.4CVSS

5.2AI Score

0.001EPSS

2022-10-03 04:23 PM
23
cve
cve

CVE-2017-8879

Dolibarr ERP/CRM 4.0.4 allows password changes without supplying the current password, which makes it easier for physically proximate attackers to obtain access via an unattended...

6.8CVSS

6.7AI Score

0.001EPSS

2022-10-03 04:23 PM
24
4
cve
cve

CVE-2018-13450

SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote attackers to execute arbitrary SQL commands via the status_batch...

9.8CVSS

9.9AI Score

0.001EPSS

2022-10-03 04:22 PM
24
cve
cve

CVE-2018-13449

SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote attackers to execute arbitrary SQL commands via the statut_buy...

9.8CVSS

9.9AI Score

0.001EPSS

2022-10-03 04:22 PM
24
Total number of security vulnerabilities428