638 matches found
vtiger CRM 5.2.0 Cross Site Request Forgery
!--========================================================================================================= //\ /\ /\ /\ /\ /\ ///\ //\ /\ /\///\ // \ // //\ \ / //\ \ / // //\ \ /\\ \ \ \ / / / / // \ \ // // // // \ // //\ \\ \ // /// \ \ / \ / // / // / / / / / \ \ / / / ...
CVE-2009-3257
vtiger CRM before 5.1.0 allows remote authenticated users to bypass the permissions on the 1 Account Billing Address and 2 Shipping Address fields in a profile by creating a Sales Order SO associated with that profile...
Code injection
vtiger CRM before 5.1.0 allows remote authenticated users, with certain View privileges, to delete 1 attachments, 2 reports, 3 filters, 4 views, and 5 tickets; insert 6 attachments, 7 reports, 8 filters, 9 views, and 10 tickets; and edit 11 reports, 12 filters, 13 views, and 14 tickets via...
Design/Logic Flaw
vtiger CRM before 5.1.0 allows remote authenticated users to bypass the permissions on the 1 Account Billing Address and 2 Shipping Address fields in a profile by creating a Sales Order SO associated with that profile...
CVE-2009-3258
vtiger CRM before 5.1.0 allows remote authenticated users, with certain View privileges, to delete 1 attachments, 2 reports, 3 filters, 4 views, and 5 tickets; insert 6 attachments, 7 reports, 8 filters, 9 views, and 10 tickets; and edit 11 reports, 12 filters, 13 views, and 14 tickets via...
CVE-2009-3257
vtiger CRM before 5.1.0 allows remote authenticated users to bypass the permissions on the 1 Account Billing Address and 2 Shipping Address fields in a profile by creating a Sales Order SO associated with that profile...
CVE-2009-3258
vtiger CRM before 5.1.0 allows remote authenticated users, with certain View privileges, to delete 1 attachments, 2 reports, 3 filters, 4 views, and 5 tickets; insert 6 attachments, 7 reports, 8 filters, 9 views, and 10 tickets; and edit 11 reports, 12 filters, 13 views, and 14 tickets via...
CVE-2009-3258
vtiger CRM prior to version 5.1.0 is affected. Remote authenticated users with certain View privileges can perform a range of actions, including deleting (attachments, reports, filters, views, tickets), inserting (attachments, reports, filters, views, tickets), and editing (reports, filters, view...
CVE-2009-3257
CVE-2009-3257 in vtiger CRM affects vtiger CRM before 5.1.0. The vulnerability arises when remote authenticated users can bypass permissions on profile fields (Account Billing Address and Shipping Address) by creating a Sales Order associated with that profile. The description implies a permissio...
Design/Logic Flaw
The saveForwardAttachments procedure in the Compose Mail functionality in vtiger CRM 5.0.4 allows remote authenticated users to execute arbitrary code by composing an e-mail message with an attachment filename ending in 1 .php in installations based on certain Apache HTTP Server configurations, 2...
Cross site request forgery (csrf)
Cross-site request forgery CSRF vulnerability in the RSS module in vtiger CRM 5.0.4 allows remote attackers to hijack the authentication of Admin users for requests that modify the news feed system via the rssurl parameter in a Save action to index.php...
CVE-2009-3251
include/utils/ListViewUtils.php in vtiger CRM before 5.1.0 allows remote authenticated users to bypass intended access restrictions and read the 1 visibility, 2 location, and 3 recurrence fields of a calendar via a custom view...
Cross site scripting
Cross-site scripting XSS vulnerability in the Activities module in vtiger CRM 5.0.4 allows remote attackers to inject arbitrary web script or HTML via the action parameter to phprint.php. NOTE: the querystring vector is already covered by CVE-2008-3101.3...
Directory traversal
Multiple directory traversal vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to include and execute arbitrary local files via a .. dot dot in 1 the module parameter to graph.php; or the 2 module or 3 file parameter to include/Ajax/CommonAjax.php, reachable through...
CVE-2009-3248
Cross-site request forgery CSRF vulnerability in the RSS module in vtiger CRM 5.0.4 allows remote attackers to hijack the authentication of Admin users for requests that modify the news feed system via the rssurl parameter in a Save action to index.php...
Design/Logic Flaw
include/utils/ListViewUtils.php in vtiger CRM before 5.1.0 allows remote authenticated users to bypass intended access restrictions and read the 1 visibility, 2 location, and 3 recurrence fields of a calendar via a custom view...
CVE-2009-3247
Cross-site scripting XSS vulnerability in the Activities module in vtiger CRM 5.0.4 allows remote attackers to inject arbitrary web script or HTML via the action parameter to phprint.php. NOTE: the querystring vector is already covered by CVE-2008-3101.3...
CVE-2009-3249
Multiple directory traversal vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to include and execute arbitrary local files via a .. dot dot in 1 the module parameter to graph.php; or the 2 module or 3 file parameter to include/Ajax/CommonAjax.php, reachable through...
CVE-2009-3248
Cross-site request forgery CSRF vulnerability in the RSS module in vtiger CRM 5.0.4 allows remote attackers to hijack the authentication of Admin users for requests that modify the news feed system via the rssurl parameter in a Save action to index.php...
CVE-2009-3250
The saveForwardAttachments procedure in the Compose Mail functionality in vtiger CRM 5.0.4 allows remote authenticated users to execute arbitrary code by composing an e-mail message with an attachment filename ending in 1 .php in installations based on certain Apache HTTP Server configurations, 2...