CRM Security Vulnerabilities
Cross-site request forgery (CSRF) vulnerability in the RSS module in vtiger CRM 5.0.4 allows remote attackers to hijack the authentication of Admin users for requests that modify the news feed system via the rssurl parameter in a Save action to...
7.1AI Score
0.032EPSS
The saveForwardAttachments procedure in the Compose Mail functionality in vtiger CRM 5.0.4 allows remote authenticated users to execute arbitrary code by composing an e-mail message with an attachment filename ending in (1) .php in installations based on certain Apache HTTP Server configurations,.....
7.3AI Score
0.055EPSS
SQL injection vulnerability in admin/users/self-2.php in XRMS allows remote attackers to execute arbitrary SQL commands and modify name and email fields via unspecified...
8.4AI Score
0.001EPSS
Multiple cross-site scripting (XSS) vulnerabilities in XRMS allow remote attackers to inject arbitrary web script or HTML via (1) the real name field, related to the user list; (2) the target parameter to login.php, (3) the title parameter to activities/some.php, (4) the company_name parameter to.....
5.8AI Score
0.002EPSS
Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to inject arbitrary web script or HTML via (1) the parenttab parameter in an index action to the Products module, as reachable through index.php; (2) the user_password parameter in an Authenticate action....
5.6AI Score
0.008EPSS
PHP remote file inclusion vulnerability in activities/workflow-activities.php in XRMS CRM 1.99.2, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via the include_directory...
7.6AI Score
0.008EPSS
Multiple cross-site scripting (XSS) vulnerabilities in XRMS CRM 1.99.2 allow remote attackers to inject arbitrary web script or HTML via the msg parameter to unspecified components, possibly including login.php. NOTE: this may overlap...
5.8AI Score
0.003EPSS
XRMS CRM 1.99.2 allows remote attackers to obtain configuration information via a direct request to tests/info.php, which calls the phpinfo...
6.3AI Score
0.005EPSS
SQL injection vulnerability in the dashboard (include/utils/SearchUtils.php) in vtiger CRM before 5.0.3 allows remote authenticated users to execute arbitrary SQL commands via the assigned_user_id parameter in a Potentials ListView action to...
7.9AI Score
0.003EPSS
vtiger CRM before 5.0.3 allows remote authenticated users to import and export the information for a contact even when they only have the View...
6.1AI Score
0.002EPSS
The report module in vtiger CRM before 5.0.3 does not properly apply security rules, which allows remote authenticated users to read arbitrary private module...
6.4AI Score
0.002EPSS
WordPlugin in the wordintegration component in vtiger CRM before 5.0.3 allows remote authenticated users to bypass field level security permissions and merge arbitrary fields in an Email template, as demonstrated by the fields in the Contact...
6.5AI Score
0.007EPSS
vtiger CRM before 5.0.3, when a migrated build is used, allows remote authenticated users to read certain other users' calendar activities via a (1) home page or (2) event list...
6.2AI Score
0.002EPSS
vtiger CRM before 5.0.3 allows remote authenticated users with access to the Analytics DashBoard menu to bypass data restrictions and read the pipeline of the entire organization, possibly involving...
6.4AI Score
0.007EPSS
Multiple SQL injection vulnerabilities in login.asp in AppIntellect SpotLight CRM 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) login (UserName) and possibly (2) password parameter. NOTE: some of these details are obtained from third party...
9.1AI Score
0.002EPSS
Multiple PHP remote file inclusion vulnerabilities in Vtiger CRM 4.2 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the calpath parameter to (1) modules/Calendar/admin/update.php, (2) modules/Calendar/admin/scheme.php, or (3)...
7.6AI Score
0.156EPSS
Unrestricted file upload vulnerability in fileupload.html in vtiger CRM 4.2.4, and possibly earlier versions, allows remote attackers to upload and execute arbitrary files with executable extensions in the /cashe/mails...
7.8AI Score
0.006EPSS
Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM 4.2.4, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) description parameter in unspecified modules or the (2) solution parameter in the HelpDesk...
6.1AI Score
0.03EPSS
vtiger CRM 4.2.4, and possibly earlier, allows remote attackers to bypass authentication and access administrative modules via a direct request to index.php with a modified module parameter, as demonstrated using the Settings...
7.4AI Score
0.017EPSS
SQL injection vulnerability in userlogin.jsp in Daffodil CRM 1.5 allows remote attackers to execute arbitrary SQL commands via unspecified parameters in a login...
8.4AI Score
0.006EPSS
Multiple directory traversal vulnerabilities in index.php in vTiger CRM 4.2 and earlier allow remote attackers to read or include arbitrary files, an ultimately execute arbitrary PHP code, via .. (dot dot) and null byte ("%00") sequences in the (1) module parameter and (2) action parameter in the.....
7.6AI Score
0.012EPSS
The uploads module in vTiger CRM 4.2 and earlier allows remote attackers to upload arbitrary files, such as PHP files, via the add2db...
7AI Score
0.031EPSS
Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) various input fields, including the contact, lead, and first or last name fields, (2) the record parameter in a DetailView action in the Leads...
5.8AI Score
0.015EPSS
The Users module in vTiger CRM 4.2 and earlier allows remote attackers to execute arbitrary PHP code via an arbitrary file in the templatename parameter, which is passed to the eval...
7.7AI Score
0.019EPSS
Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary SQL commands and bypass authentication via the (1) user_name and (2) date parameter in the HelpDesk...
8.2AI Score
0.015EPSS
Cross-site scripting (XSS) vulnerability in vTiger CRM 4.2 and earlier allows remote attackers to inject arbitrary web script or HTML via multiple vectors, including the account...
5.7AI Score
0.006EPSS
Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) username in the login form or (2) record parameter, as demonstrated in the EditView action for the Contacts...
8.5AI Score
0.008EPSS
Directory traversal vulnerability in the web viewers for Business Objects Crystal Reports 9 and 10, and Crystal Enterprise 9 or 10, as used in Visual Studio .NET 2003 and Outlook 2003 with Business Contact Manager, Microsoft Business Solutions CRM 1.2, and other products, allows remote attackers...
6.8AI Score
0.966EPSS