21 matches found
EUVD-2026-31907
Twenty is an open source CRM. From 1.7.7 through 1.16.7, a critical Remote Code Execution RCE vulnerability exists in Twenty CRM via a chained SQL Injection and PostgreSQL COPY TO PROGRAM attack. If Postgres user is a super user then any authenticated user can execute arbitrary OS commands on the...
EUVD-2026-27452
Twenty is an open source CRM built with NestJS Node.js. In versions 1.18.0 and earlier, the SSRF protection in twenty-server's SecureHttpClientService can be bypassed using IPv4-mapped IPv6 addresses in URL IP literals. Node.js's URL parser normalizes IPv4-mapped IPv6 addresses to compressed hex...
PT-2026-32517
EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Attachment/fromImageUrl endpoint is vulnerable to Server-Side Request Forgery SSRF via a DNS rebinding TOCTOU condition. Host validation uses dns get record but the actual HTTP...
ChurchCRM SQL注入漏洞
ChurchCRM is an open-source CRM system developed for churches. Versions of ChurchCRM prior to 7.1.0 had a SQL injection vulnerability. This vulnerability stems from the SQL injection in the QueryView.php file, where the searchwhat parameter is vulnerable to attacks due to SQL injection...
EUVD-2026-9845
Twenty is an open source CRM. Prior to version 1.18, the SSRF protection in SecureHttpClientService validated request URLs at the request level but did not validate redirect targets. An authenticated user who could control outbound request URLs e.g., webhook endpoints, image URLs could bypass...
CRMEB authorization issue vulnerabilities
CRMEB is an open-source Java e-commerce system developed by CRMEB. Versions of CRMEB 5.6.3 and earlier contained a vulnerability related to authorization issues. This vulnerability stemmed from incorrect handling of the parameter ‘uid’ in the component’s JSON Token Handler file,...
CVE-2025-54787
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. There is a vulnerability in SuiteCRM version 7.14.6 which allows unauthenticated downloads of any file from the upload-directory, as long as it is named by an ID e.g. attachments. An...
EspoCRM 安全漏洞
EspoCRM is an open source web-based customer relationship management CRM system from EspoCRM Open Source. The system provides features such as sales automation, community and customer support. A security vulnerability exists in EspoCRM versions prior to 9.0.7 that stems from improper password has...
ChurchCRM Input Validation Error Vulnerability
ChurchCRM is ChurchCRM open source an open source CRM system for churches. ChurchCRM suffers from an input validation error vulnerability that stems from not properly validating input. An attacker can exploit this vulnerability to hijack a user session...
Webkul Krayin CRM 安全漏洞
Webkul Krayin CRM is a free and open source CRM solution for small and medium-sized businesses from Webkul India. A security vulnerability exists in Webkul Krayin CRM v1.3.0 that stems from vulnerability to cross-site scripting XSS attacks...
CVE-2024-45392 SuiteCRM has wrong deletion permission checks on API delete call
SuiteCRM is an open-source customer relationship management CRM system. Prior to version 7.14.5 and 8.6.2, insufficient access control checks allow a threat actor to delete records via the API. Versions 7.14.5 and 8.6.2 contain a patch for the issue...
YetiForceCrm 跨站脚本漏洞
YetiForceCrm is an open source Crm system from the Polish company YetiForce. A cross-site scripting vulnerability exists in YetiForceCrm versions prior to 6.4.0. An attacker could exploit this vulnerability to conduct cross-site scripting attacks...
YetiForceCrm 跨站脚本漏洞
YetiForceCrm is an open source Crm system from the Polish company YetiForce. Yetiforcecrm suffers from a cross-site scripting vulnerability that originates from the susceptibility to incorrect input during web page generation...
Yetiforcecrm Cross-site Request Forgery Vulnerability
YetiForceCrm is an open source Crm system from the Polish company YetiForce. Yetiforcecrm suffers from a cross-site request forgery vulnerability, for which no detailed vulnerability details are currently available...
OroCRM - Stored XSS Vulnerability
No description provided by source. Affected software: OroCRM is an easy-to-use, open source CRM with built in marketing automation tools for your commerce business. It's the CRM built for both sales and marketing! Discovered by: Provensec Website: http://www.provensec.com Author: Provensec Labs...
MyITCRM Cross Site Scripting
Description :Free and Open source CRM Software for your Repairs and Servicing Business! vendor:http://demo.myitcrm.com/ author:provensec type:stored xss exploit: 1 Goto http://demo.myitcrm.com/index.php?page=supplier:new&pagetitle=New%20Supplifr%20Page 2 click on html refer screenshot ==...
OroCRM - Stored XSS Vulnerability
Exploit for php platform in category web applications Affected software: OroCRM is an easy-to-use, open source CRM with built in marketing automation tools for your commerce business. It's the CRM built for both sales and marketing! Discovered by: Provensec Website: http://www.provensec.com Autho...
vTiger CRM 5.2.x <= Multiple Cross Site Scripting Vulnerabilities
vTiger CRM 5.2.x = Multiple Cross Site Scripting Vulnerabilities 1. OVERVIEW The vTiger CRM 5.2.1 and lower versions are vulnerable to Cross Site Scripting. No fixed version has been released as of 2011-10-04. 2. BACKGROUND vtiger CRM is a free, full-featured, 100 Open Source CRM software ideal f...
vtigercrm-xss.txt
Multiple Cross Site Scripting XSS Vulnerabilities in vtigerCRM 5.0.4, CVE-2008-3101 References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3101 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3101 http://www.vtiger.de/ Description vtigerCRM is a Open Source Customer Relationship Managemen...
CVE-2005-4086
Directory traversal vulnerability in acceptDecline.php in Sugar Suite Open Source Customer Relationship Management SugarCRM 4.0 beta and earlier allows remote attackers to include arbitrary local files via ".." sequences in the beanFiles array parameter...