Vtiger CRM Security Vulnerabilities

CVE-2006-4617

Unrestricted file upload vulnerability in fileupload.html in vtiger CRM 4.2.4, and possibly earlier versions, allows remote attackers to upload and execute arbitrary files with executable extensions in the /cashe/mails...

CVE-2006-4587

Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM 4.2.4, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) description parameter in unspecified modules or the (2) solution parameter in the HelpDesk...

CVE-2006-4588

vtiger CRM 4.2.4, and possibly earlier, allows remote attackers to bypass authentication and access administrative modules via a direct request to index.php with a modified module parameter, as demonstrated using the Settings...

CVE-2005-3820

Multiple directory traversal vulnerabilities in index.php in vTiger CRM 4.2 and earlier allow remote attackers to read or include arbitrary files, an ultimately execute arbitrary PHP code, via .. (dot dot) and null byte ("%00") sequences in the (1) module parameter and (2) action parameter in the.....

CVE-2005-3824

The uploads module in vTiger CRM 4.2 and earlier allows remote attackers to upload arbitrary files, such as PHP files, via the add2db...

CVE-2005-3818

Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) various input fields, including the contact, lead, and first or last name fields, (2) the record parameter in a DetailView action in the Leads...

CVE-2005-3823

The Users module in vTiger CRM 4.2 and earlier allows remote attackers to execute arbitrary PHP code via an arbitrary file in the templatename parameter, which is passed to the eval...

CVE-2005-3819

Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary SQL commands and bypass authentication via the (1) user_name and (2) date parameter in the HelpDesk...

CVE-2005-3821

Cross-site scripting (XSS) vulnerability in vTiger CRM 4.2 and earlier allows remote attackers to inject arbitrary web script or HTML via multiple vectors, including the account...

CVE-2005-3822

Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) username in the login form or (2) record parameter, as demonstrated in the EditView action for the Contacts...