638 matches found
vTiger CRM 5.0.4 - Multiple Cross-Site Scripting Vulnerabilities
vTiger CRM 5.0.4 - Multiple Cross-Site Scripting Vulnerabilities source: https://www.securityfocus.com/bid/30951/info vtiger CRM is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute...
vTiger CRM 5.0.4 - Multiple Cross-Site Scripting Vulnerabilities
source: https://www.securityfocus.com/bid/30951/info vtiger CRM is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the...
Improper access control
Vtiger CRM before 5.0.4 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read mail merge templates via a direct request to the wordtemplatedownload directory...
CVE-2008-3458
Vtiger CRM before 5.0.4 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read mail merge templates via a direct request to the wordtemplatedownload directory...
CVE-2008-3458
Vuln CVE-2008-3458 affects vTiger CRM prior to version 5.0.4 . The issue is inadequate access control that stores sensitive information under the web root, enabling remote attackers to read mail merge templates by directly requesting the wordtemplatedownload directory. This is confirmed across mu...
CVE-2008-3458
Vtiger CRM before 5.0.4 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read mail merge templates via a direct request to the wordtemplatedownload directory...
vTiger CRM Directory File Disclosure
The remote instance of vTiger allows an unauthenticated attacker to view the contents of application directories, which could lead to the disclosure of sensitive information. Note that the solution does not prevent an attacker from retrieving files by guessing their names, only obtaining a...
CVE-2007-3604
vtiger CRM before 5.0.3 allows remote authenticated users with access to the Analytics DashBoard menu to bypass data restrictions and read the pipeline of the entire organization, possibly involving modules/Potentials/Potentials.php...
CVE-2007-3603
SQL injection vulnerability in the dashboard include/utils/SearchUtils.php in vtiger CRM before 5.0.3 allows remote authenticated users to execute arbitrary SQL commands via the assigneduserid parameter in a Potentials ListView action to index.php...
CVE-2007-3598
index.php in vtiger CRM before 5.0.3 allows remote authenticated users to obtain all users' names and e-mail addresses, and possibly change user settings, via a modified record parameter in a DetailView action to the Users module. NOTE: the vendor disputes the changing of settings, reporting that...
Design/Logic Flaw
WordPlugin in the wordintegration component in vtiger CRM before 5.0.3 allows remote authenticated users to bypass field level security permissions and merge arbitrary fields in an Email template, as demonstrated by the fields in the Contact module...
Code injection
The SOAP webservice in vtiger CRM before 5.0.3 does not ensure that authenticated accounts are active, which allows remote authenticated users with inactive accounts to access and modify data, as demonstrated by the Thunderbird plugin...
Sql injection
SQL injection vulnerability in the dashboard include/utils/SearchUtils.php in vtiger CRM before 5.0.3 allows remote authenticated users to execute arbitrary SQL commands via the assigneduserid parameter in a Potentials ListView action to index.php...
CVE-2007-3600
WordPlugin in the wordintegration component in vtiger CRM before 5.0.3 allows remote authenticated users to bypass field level security permissions and merge arbitrary fields in an Email template, as demonstrated by the fields in the Contact module...
Code injection
index.php in vtiger CRM before 5.0.3 allows remote authenticated users to obtain all users' names and e-mail addresses, and possibly change user settings, via a modified record parameter in a DetailView action to the Users module. NOTE: the vendor disputes the changing of settings, reporting that...
CVE-2007-3599
vtiger CRM before 5.0.3 allows remote authenticated users to import and export the information for a contact even when they only have the View permission...
CVE-2007-3602
The SOAP webservice in vtiger CRM before 5.0.3 does not ensure that authenticated accounts are active, which allows remote authenticated users with inactive accounts to access and modify data, as demonstrated by the Thunderbird plugin...
CVE-2007-3601
vtiger CRM before 5.0.3, when a migrated build is used, allows remote authenticated users to read certain other users' calendar activities via a 1 home page or 2 event list view...
Design/Logic Flaw
vtiger CRM before 5.0.3 allows remote authenticated users with access to the Analytics DashBoard menu to bypass data restrictions and read the pipeline of the entire organization, possibly involving modules/Potentials/Potentials.php...
Code injection
vtiger CRM before 5.0.3 allows remote authenticated users to import and export the information for a contact even when they only have the View permission...