Lucene search
K
VtigerVtiger Crm

72 matches found

CVE
CVE
added 2019/06/06 6:21 p.m.176 views

CVE-2018-8047

Vulnerability: vtiger CRM 7.0.1 is affected by a reflected Cross-Site Scripting (XSS) flaw. Root cause: lack of proper input validation in the app parameter passed via index.php?module=Contacts&view=List, enabling remote unauthenticated users to inject script/HTML. Affected versions: 7.0.1 and pr...

6.1CVSS6AI score0.01283EPSS
CVE
CVE
added 2020/01/29 5:21 p.m.153 views

CVE-2013-3215

CVE-2013-3215 affects vtiger CRM 5.4.0 and earlier. Root cause: authentication bypass due to improper validation in validateSession. CVSS v3.1 base score 9.8 (CRITICAL; NETWORK, LOW attack complexity, PR:N; privileges NONE; UI:N; C/H/I/H/A/H). Public details in NVD/CVE records indicate high-risk ...

9.8CVSS9.3AI score0.68849EPSS
CVE
CVE
added 2020/01/28 8:27 p.m.117 views

CVE-2013-3214

CVE-2013-3214 affects vtiger CRM 5.4.0 and earlier; a PHP Code Injection vulnerability exists in vtigerolservice.php that can lead to remote code execution. Public disclosure includes Metasploit/Exploitation modules (e.g., vtiger_soap_upload) and multiple Exploit-DB entries. Remediation details a...

9.8CVSS9.5AI score0.84535EPSS
CVE
CVE
added 2014/08/12 11:0 p.m.97 views

CVE-2014-1222

CVE-2014-1222 affects Vtiger CRM prior to 6.0.0 Security Patch 1, where a vulnerability in the kcfinder/browse.php component allows remote authenticated users to read arbitrary files via directory traversal (.. in the file parameter) in a download action. The issue is likely in KCFinder and may a...

4CVSS8.5AI score0.08795EPSS
Web
CVE
CVE
added 2017/04/14 6:0 p.m.92 views

CVE-2016-1713

CVE-2016-1713 concerns Vtiger CRM 6.4.0 where an unrestricted file upload in Settings_Vtiger_CompanyDetailsSave_Action (modules/Settings/Vtiger/actions/CompanyDetailsSave.php) lets a remote authenticated user upload a crafted image with an executable extension and access it via test/logo/ to exec...

8.5CVSS7.7AI score0.16561EPSS
Web
CVE
CVE
added 2020/01/28 8:23 p.m.91 views

CVE-2013-3212

CVE-2013-3212 affects vtiger CRM <= 5.4.0. Affected component: SOAP-based customerportal.php with two Local File Inclusion vulnerabilities in get_list_values and get_project_components. Root cause: input in the module parameter is not properly validated, leading to require_once of untrusted lo...

8.1CVSS8.5AI score0.07543EPSS
CVE
CVE
added 2013/10/04 8:0 p.m.84 views

CVE-2013-5091

The CVE affects vtiger CRM (CalendarCommon.php) where SQL injection is possible via the onlyforuser parameter passed to index.php. Affected: vtiger CRM 5.4.0 and likely earlier. Root cause: insufficient validation of the onlyforuser input leading to arbitrary SQL execution; exploitation requires ...

6.5CVSS8AI score0.01238EPSS
Web
CVE
CVE
added 2020/02/06 1:55 p.m.79 views

CVE-2015-6000

CVE-2015-6000 refers to an Unrestricted file upload vulnerability in Vtiger CRM (Settings_Vtiger_CompanyDetailsSave_Action in modules/Settings/Vtiger/actions/CompanyDetailsSave.php) affecting Vtiger CRM 6.3.0 and earlier. The issue allows remote authenticated users to execute arbitrary code by up...

8.8CVSS7.9AI score0.40241EPSS
Web
CVE
CVE
added 2010/11/26 7:0 p.m.78 views

CVE-2010-3910

Vuln summary (CVE-2010-3910): VTiger CRM up to version 5.2.0 is affected by local file inclusion and directory traversal issues in include/utils/utils.php (return_application_language) and in graph.php. An attacker can trigger LFI by manipulating language parameters (lang_crm in phprint.php and c...

6.8CVSS7.3AI score0.07373EPSS
Web
CVE
CVE
added 2014/11/16 1:0 a.m.78 views

CVE-2014-2268

CVE-2014-2268 affects vtiger CRM 6.0 Install module prior to Security Patch 2, where access restrictions are insufficient and a crafted request (including X-Requested-With) can re-install the app and execute arbitrary PHP via the db_name parameter. Public indicators of exploitation exist (e.g., M...

5CVSS6.9AI score0.31212EPSS
Web
CVE
CVE
added 2019/05/24 5:40 p.m.77 views

CVE-2016-10754

CVE-2016-10754 affects Vtiger CRM 6.5.0, specifically the file modules/Calendar/Activity.php. The vulnerability is an SQL injection via the contactidlist parameter due to lack of validation of externally entered SQL statements. The documented impact is the ability to execute arbitrary SQL in the ...

8.8CVSS9AI score0.01461EPSS
Web
CVE
CVE
added 2025/02/24 4:31 a.m.76 views

CVE-2025-1618

CVE-2025-1618 affects vtiger CRM 6.4.0/6.5.0. The vulnerability resides in the /modules/Mobile/index.php script where manipulating the _operation parameter triggers cross-site scripting. Exploitation can be remote, and public disclosures exist. Upgrading to vtiger CRM 7.0 is cited as the fix; no ...

6.1CVSS4.5AI score0.00369EPSS
Web
CVE
CVE
added 2019/11/21 7:54 p.m.74 views

CVE-2019-19202

Vulnerability CVE-2019-19202 affects Vtiger CRM 7.x prior to 7.2.0. A My Preferences POST request flaw allows a user without administrative privileges to elevate themselves by adding roleid=H2, enabling an unwanted change to their own role. This constitutes an elevation of privilege with potentia...

8.8CVSS8.6AI score0.01003EPSS
CVE
CVE
added 2021/04/29 6:17 p.m.74 views

CVE-2020-22807

Vulnerability summary (CVE-2020-22807) : vtiger CRM 7.2 is affected by a SQL Injection in the calendar exportdata feature caused by a faulty input handling (described as a union SQL injection). This could allow a remote attacker to execute arbitrary SQL commands on the vulnerable system (no authe...

9.8CVSS9.6AI score0.0128EPSS
CVE
CVE
added 2014/04/02 2:0 p.m.72 views

CVE-2013-3213

CVE-2013-3213 affects vtiger CRM 5.0.0–5.4.0, exposing multiple SQL injection vectors via SOAP services. Vulnerable code paths include get_picklists in /soap/customerportal.php, get_tickets_list in /soap/customerportal.php, and SearchContactsByEmail in /soap/thunderbirdplugin.php and /soap/vtiger...

7.5CVSS9.6AI score0.03207EPSS
Web
CVE
CVE
added 2025/05/21 12:0 a.m.71 views

CVE-2025-45753

Vulnerability CVE-2025-45753 affects Vtiger CRM Open Source Edition v8.3.0. An attacker with admin privileges can execute arbitrary PHP code by abusing the ZIP import functionality in the Module Import feature. The entry indicates high impact (C/H/I/A) with a CVSSv3.1 base score of 7.2. Connected...

7.2CVSS7.4AI score0.00383EPSS
CVE
CVE
added 2020/02/07 2:15 p.m.70 views

CVE-2013-3591

Summary of CVE-2013-3591 : The vulnerability affects vTiger CRM versions 5.3 and 5.4, where the attacker can abuse the vulnerable vTiger “files” upload folder to upload a PHP script and achieve arbitrary PHP code execution. Multiple connected sources document an authenticated remote-code-executio...

8.8CVSS8.8AI score0.43103EPSS
Web
CVE
CVE
added 2006/09/06 10:0 p.m.68 views

CVE-2006-4587

The CVE-2006-4587 entry documents multiple XSS flaws in vtiger CRM 4.2.4 (and possibly earlier) that allow remote attackers to inject arbitrary scripts via the (1) description parameter in unspecified modules or the (2) solution parameter in the HelpDesk module. The NVD data lists a CVSS v2 base ...

6.8CVSS6.1AI score0.0141EPSS
CVE
CVE
added 2016/08/01 1:0 a.m.68 views

CVE-2016-4834

VTiger CRM (version 6.4.0 and earlier) is affected by CVE-2016-4834 due to insufficient access control in modules/Users/actions/Save.php, allowing remote authenticated users to create or modify user accounts. The OpenVAS entry corroborates privilege escalation and unrestricted file upload vectors...

8.1CVSS7.5AI score0.02207EPSS
CVE
CVE
added 2021/01/20 12:43 a.m.67 views

CVE-2020-19363

Vtiger CRM v7.2.0 exposes a directory traversal vulnerability in /libraries and /layout directories that allows an unauthenticated attacker to display hidden files and list directories. The issue is confirmed by Nuclei templates (Vtiger CRM v7.2.0 - Directory Listing) describing improper access c...

6.5CVSS6.4AI score0.03613EPSS
In wild
CVE
CVE
added 2014/04/21 2:0 p.m.65 views

CVE-2014-2269

CVE-2014-2269 affects vtiger CRM v6.0 prior to Security Patch 2. The vulnerability is in modules/Users/ForgotPassword.php and allows remote attackers to reset the password for arbitrary users by submitting a request containing username, password, and confirmPassword. This is a direct consequence ...

6.4CVSS7AI score0.15782EPSS
Web
CVE
CVE
added 2019/01/04 2:0 p.m.63 views

CVE-2019-5009

Vtiger CRM 7.1.0 before Hotfix2 contains a file-upload vulnerability in the logo field: an uploaded PNG image of 150x40 with an extension allowed as php3 can carry PHP code, bypassing the extension filter and enabling code execution via the image (e.g., using PHP tags). Affected files/documented ...

7.2CVSS7AI score0.09936EPSS
Web
CVE
CVE
added 2011/11/28 9:0 p.m.62 views

CVE-2011-4559

CVE-2011-4559 affects vtiger CRM (Calendar module) prior to or including vTiger 5.2.1; the vulnerability is a SQL injection in the onlyforuser parameter of the index action (index.php). This allows remote attackers to execute arbitrary SQL commands. Connected records also indicate CVE-2013-5091 a...

7.5CVSS8.6AI score0.01387EPSS
CVE
CVE
added 2005/11/26 2:0 a.m.61 views

CVE-2005-3819

Summary: CVE-2005-3819 affects vtiger CRM up to version 4.2, with SQL injection vulnerabilities in the HelpDesk module that enable remote attackers to inject arbitrary SQL and bypass authentication via the (1) user_name and (2) date parameters. This is corroborated by multiple vulnerability feeds...

7.5CVSS8.2AI score0.02845EPSS
CVE
CVE
added 2007/07/06 7:0 p.m.61 views

CVE-2007-3603

CVE-2007-3603 affects vtiger CRM prior to 5.0.3. A SQL injection vulnerability exists in the dashboard (include/utils/SearchUtils.php) allowing remote authenticated users to execute arbitrary SQL via the assigned_user_id parameter in a Potentials ListView action to index.php. This is supported by...

6.5CVSS7.9AI score0.01396EPSS
Web
CVE
CVE
added 2011/12/02 4:0 p.m.60 views

CVE-2011-4670

CVE-2011-4670 affects vtiger CRM up to version 5.2.1 (and earlier per sources) where multiple XSS vectors exist in the Calendar, DetailView, EditView, ListView, and other modules (Calendar, Campaigns, com_vtiger_workflow, Dashboard, Potentials, Reports, Settings, Home, phprint.php). The root caus...

4.3CVSS5.9AI score0.02951EPSS
CVE
CVE
added 2025/05/21 12:0 a.m.60 views

CVE-2025-45755

Vulnerable software: Vtiger CRM Open Source Edition v8.3.0. The issue is a Stored Cross-Site Scripting (XSS) vulnerability exploitable via the Services Import feature. An attacker can craft a malicious CSV file containing an XSS payload mapped to the Service Name field; when uploaded, the applica...

6.1CVSS5.2AI score0.00252EPSS
CVE
CVE
added 2006/09/06 10:0 p.m.59 views

CVE-2006-4588

vtiger CRM 4.2.4 (and possibly earlier) contains an authentication-bypass vulnerability that lets remote attackers access administrative modules by issuing a direct request to index.php with a modified module parameter, demonstrated via the Settings module. Root cause: improper validation of the ...

7.5CVSS7.4AI score0.01696EPSS
CVE
CVE
added 2007/07/06 7:0 p.m.59 views

CVE-2007-3604

CVE-2007-3604 affects vtiger CRM prior to 5.0.3. The issue allows remote authenticated users with access to the Analytics Dashboard to bypass data restrictions and read the pipeline of the entire organization, potentially involving modules/Potentials/Potentials.php. The available documents do not...

4CVSS6.4AI score0.01077EPSS
CVE
CVE
added 2012/09/06 5:0 p.m.59 views

CVE-2012-4867

CVE-2012-4867 affects vtiger CRM 5.1.0: directory traversal via .. in the module_name parameter of sortfieldsjson.php allows reading arbitrary files (Local File Include). Root cause: unsanitized user input. Several connected sources (Red Hat, NVD, CIRCL, OpenVAS, etc.) consistently describe a VTi...

5CVSS6.8AI score0.03496EPSS
Web
CVE
CVE
added 2025/01/10 12:0 a.m.59 views

CVE-2024-54687

Vtiger CRM v6.1 and earlier is vulnerable to Cross-Site Scripting (XSS) via the Documents module, specifically through the uploadAndSaveFile function in CRMEntity.php. The underlying cause is an XSS flaw in that path, enabling injected payloads to execute in affected users’ browsers. Public detai...

6.1CVSS6.1AI score0.00349EPSS
CVE
CVE
added 2009/09/18 8:0 p.m.57 views

CVE-2009-3249

CVE-2009-3249 pertains to vtiger CRM 5.0.4 and involves multiple directory traversal/remote file inclusion weaknesses. Technical details from the sources confirm: Vulnerabilities in graph.php via the module parameter and in include/Ajax/CommonAjax.php via module/file, reachable through modules li...

7.5CVSS6.9AI score0.09592EPSS
Web
CVE
CVE
added 2010/11/26 7:0 p.m.57 views

CVE-2010-3909

Vtiger CRM (5.2.0 and potentially earlier) contains an incomplete blacklist vulnerability in config.template.php that, via the draft save feature in Compose Mail, allows a remote authenticated user to upload a .phtml file and then access it from storage/ to execute code. The issue enables Remote ...

6CVSS7.5AI score0.01639EPSS
Web
CVE
CVE
added 2022/09/27 5:10 p.m.57 views

CVE-2022-38335

CVE-2022-38335 affects Vtiger CRM v7.4.0 with a stored XSS vulnerability in the Email Templates module. The root cause is insufficient input filtering/escaping in the module, allowing attacker-supplied data to be stored and later executed in the context of the affected user. The CVSS v3.1 base sc...

5.4CVSS5.3AI score0.00692EPSS
CVE
CVE
added 2024/04/30 12:0 a.m.57 views

CVE-2023-46304

Vtiger CRM 7.5.0 contains a vulnerability in modules/Users/models/Module.php where an unprotected endpoint allows a remote authenticated attacker to write arbitrary PHP code to config.inc.php, which is then executed on every page load. The issue enables remote code execution by leveraging this pa...

8.1CVSS6.9AI score0.01658EPSS
Web
CVE
CVE
added 2024/08/29 12:0 a.m.57 views

CVE-2024-44777

vTiger CRM 7.4.0 is affected by a reflected XSS in the tag parameter on the index page, enabling an attacker to execute arbitrary code in a user’s browser. The vulnerability is described across multiple sources (RH and NVD/NVD-derived records) with attacker-controlled payloads triggering code exe...

9.6CVSS6AI score0.00676EPSS
CVE
CVE
added 2005/11/26 2:0 a.m.56 views

CVE-2005-3822

CVE-2005-3822 affects vTiger CRM 4.2 and earlier, with multiple SQL injection flaws allowing remote attackers to run arbitrary SQL via the login form username or the EditView–Contacts record parameter. The NVD entry lists a CVSS v2 base score of 7.5 (HIGH) with network access, minimal authenticat...

7.5CVSS8.5AI score0.01414EPSS
CVE
CVE
added 2008/09/03 2:0 p.m.56 views

CVE-2008-3101

CVE-2008-3101 affects vtiger CRM 5.0.4. The vulnerability consists of multiple XSS flaws triggered by unvalidated input in index.php across three paths: (1) Products module, index action via the parenttab parameter; (2) Users module, Authenticate action via the user_password parameter; (3) Home m...

4.3CVSS5.6AI score0.03768EPSS
CVE
CVE
added 2009/09/18 8:0 p.m.56 views

CVE-2009-3247

CVE-2009-3247 : vtiger CRM 5.0.4 contains a Cross-site scripting (XSS) vulnerability in the Activities module, exploitable via the action parameter to phprint.php. The issue’s impact is described as injecting arbitrary web script/HTML into user sessions, with the note that the query_string vector...

4.3CVSS5.6AI score0.0346EPSS
CVE
CVE
added 2009/09/18 8:0 p.m.56 views

CVE-2009-3248

The CVE-2009-3248 entry describes a CSRF vulnerability in the vtiger CRM 5.0.4 RSS module . The flaw allows remote attackers to hijack the authentication of Admin users by crafting requests to index.php with the rssurl parameter in a Save action, enabling modification of the news feed system. The...

6.8CVSS7.1AI score0.01258EPSS
CVE
CVE
added 2005/11/26 2:0 a.m.55 views

CVE-2005-3820

vTiger CRM <= 4.2 is affected by multiple directory traversal vulnerabilities in index.php (Leads module) where, due to improper handling of .. and null byte sequences in the module and action parameters, an attacker can read or include arbitrary files and potentially execute PHP code. The iss...

6.4CVSS7.6AI score0.02737EPSS
CVE
CVE
added 2009/09/18 9:0 p.m.55 views

CVE-2009-3257

CVE-2009-3257 in vtiger CRM affects vtiger CRM before 5.1.0. The vulnerability arises when remote authenticated users can bypass permissions on profile fields (Account Billing Address and Shipping Address) by creating a Sales Order associated with that profile. The description implies a permissio...

3.6CVSS6.3AI score0.00864EPSS
CVE
CVE
added 2024/08/29 12:0 a.m.55 views

CVE-2024-44778

CVE-2024-44778 is a reflected XSS in the parent parameter of the vTiger CRM 7.4.0 index page. The vulnerability allows an attacker to execute arbitrary code in the context of a user’s browser by injecting a crafted payload, with PoCs circulating (e.g., a provided demo/PoC URL). Public references ...

9.6CVSS6AI score0.00691EPSS
CVE
CVE
added 2005/11/26 2:0 a.m.54 views

CVE-2005-3818

The CVE-2005-3818 entry concerns vTiger CRM, affected in versions up to 4.2 and earlier, with multiple XSS flaws that allow attacker-supplied HTML/JS via various input fields (including contact, lead, first/last name), the Leads module DetailView record parameter, $_SERVER['PHP_SELF'], and RSS fe...

4.3CVSS5.8AI score0.05084EPSS
CVE
CVE
added 2005/11/26 2:0 a.m.54 views

CVE-2005-3821

CVE-2005-3821 is an XSS vulnerability affecting vTiger CRM 4.2 and earlier. The exposed component is the web application, with arbitrary script/HTML injection possible via multiple vectors, including the account name. Connected sources corroborate multiple VTiger-related advisories and OpenVAS/Ne...

4.3CVSS5.7AI score0.01338EPSS
CVE
CVE
added 2005/11/26 2:0 a.m.53 views

CVE-2005-3824

The CVE-2005-3824 entry concerns vTiger CRM 4.2 and earlier, where the uploads module (via add2db action) allows remote attackers to upload arbitrary files, including PHP scripts. This is an arbitrary file upload vulnerability in the uploads module, enabling potential remote execution or hosting ...

5CVSS7AI score0.01487EPSS
CVE
CVE
added 2007/07/06 7:0 p.m.53 views

CVE-2007-3602

The CVE concerns vtiger CRM’s SOAP webservice prior to 5.0.3. The vulnerability arises because the service does not verify that authenticated accounts are active, allowing remote authenticated users with inactive accounts to access and modify data, as demonstrated by the Thunderbird plugin. Affec...

5.5CVSS6.3AI score0.0149EPSS
CVE
CVE
added 2009/09/18 8:0 p.m.53 views

CVE-2009-3250

The CVE-2009-3250 issue affects vtiger CRM 5.0.4, where the saveForwardAttachments function in Compose Mail lets remote authenticated users execute arbitrary code by attaching a filename ending in .php (varying by Apache config/OS) and then requesting a path under storage/. The connected document...

9CVSS7.3AI score0.10932EPSS
Web
CVE
CVE
added 2021/01/20 12:42 a.m.53 views

CVE-2020-19362

CVE-2020-19362 describes a reflected Cross-Site Scripting flaw in Vtiger CRM v7.2.0. The vulnerability occurs in vtigercrm/index.php? (view parameter) due to insufficient validation of client-side data by the web application, enabling an attacker to craft a link that could perform malicious actio...

6.1CVSS5.9AI score0.00749EPSS
Web
CVE
CVE
added 2007/07/06 7:0 p.m.52 views

CVE-2007-3617

The CVE-2007-3617 issue affects vtiger CRM prior to 5.0.3, where the report module fails to enforce security rules. This allows remote authenticated users to read arbitrary private module entries via the report functionality. Affected component: vtiger CRM report module; root cause: improper appl...

4CVSS6.4AI score0.00963EPSS
Total number of security vulnerabilities72