72 matches found
CVE-2018-8047
Vulnerability: vtiger CRM 7.0.1 is affected by a reflected Cross-Site Scripting (XSS) flaw. Root cause: lack of proper input validation in the app parameter passed via index.php?module=Contacts&view=List, enabling remote unauthenticated users to inject script/HTML. Affected versions: 7.0.1 and pr...
CVE-2013-3215
CVE-2013-3215 affects vtiger CRM 5.4.0 and earlier. Root cause: authentication bypass due to improper validation in validateSession. CVSS v3.1 base score 9.8 (CRITICAL; NETWORK, LOW attack complexity, PR:N; privileges NONE; UI:N; C/H/I/H/A/H). Public details in NVD/CVE records indicate high-risk ...
CVE-2013-3214
CVE-2013-3214 affects vtiger CRM 5.4.0 and earlier; a PHP Code Injection vulnerability exists in vtigerolservice.php that can lead to remote code execution. Public disclosure includes Metasploit/Exploitation modules (e.g., vtiger_soap_upload) and multiple Exploit-DB entries. Remediation details a...
CVE-2014-1222
CVE-2014-1222 affects Vtiger CRM prior to 6.0.0 Security Patch 1, where a vulnerability in the kcfinder/browse.php component allows remote authenticated users to read arbitrary files via directory traversal (.. in the file parameter) in a download action. The issue is likely in KCFinder and may a...
CVE-2016-1713
CVE-2016-1713 concerns Vtiger CRM 6.4.0 where an unrestricted file upload in Settings_Vtiger_CompanyDetailsSave_Action (modules/Settings/Vtiger/actions/CompanyDetailsSave.php) lets a remote authenticated user upload a crafted image with an executable extension and access it via test/logo/ to exec...
CVE-2013-3212
CVE-2013-3212 affects vtiger CRM <= 5.4.0. Affected component: SOAP-based customerportal.php with two Local File Inclusion vulnerabilities in get_list_values and get_project_components. Root cause: input in the module parameter is not properly validated, leading to require_once of untrusted lo...
CVE-2013-5091
The CVE affects vtiger CRM (CalendarCommon.php) where SQL injection is possible via the onlyforuser parameter passed to index.php. Affected: vtiger CRM 5.4.0 and likely earlier. Root cause: insufficient validation of the onlyforuser input leading to arbitrary SQL execution; exploitation requires ...
CVE-2015-6000
CVE-2015-6000 refers to an Unrestricted file upload vulnerability in Vtiger CRM (Settings_Vtiger_CompanyDetailsSave_Action in modules/Settings/Vtiger/actions/CompanyDetailsSave.php) affecting Vtiger CRM 6.3.0 and earlier. The issue allows remote authenticated users to execute arbitrary code by up...
CVE-2010-3910
Vuln summary (CVE-2010-3910): VTiger CRM up to version 5.2.0 is affected by local file inclusion and directory traversal issues in include/utils/utils.php (return_application_language) and in graph.php. An attacker can trigger LFI by manipulating language parameters (lang_crm in phprint.php and c...
CVE-2014-2268
CVE-2014-2268 affects vtiger CRM 6.0 Install module prior to Security Patch 2, where access restrictions are insufficient and a crafted request (including X-Requested-With) can re-install the app and execute arbitrary PHP via the db_name parameter. Public indicators of exploitation exist (e.g., M...
CVE-2016-10754
CVE-2016-10754 affects Vtiger CRM 6.5.0, specifically the file modules/Calendar/Activity.php. The vulnerability is an SQL injection via the contactidlist parameter due to lack of validation of externally entered SQL statements. The documented impact is the ability to execute arbitrary SQL in the ...
CVE-2025-1618
CVE-2025-1618 affects vtiger CRM 6.4.0/6.5.0. The vulnerability resides in the /modules/Mobile/index.php script where manipulating the _operation parameter triggers cross-site scripting. Exploitation can be remote, and public disclosures exist. Upgrading to vtiger CRM 7.0 is cited as the fix; no ...
CVE-2019-19202
Vulnerability CVE-2019-19202 affects Vtiger CRM 7.x prior to 7.2.0. A My Preferences POST request flaw allows a user without administrative privileges to elevate themselves by adding roleid=H2, enabling an unwanted change to their own role. This constitutes an elevation of privilege with potentia...
CVE-2020-22807
Vulnerability summary (CVE-2020-22807) : vtiger CRM 7.2 is affected by a SQL Injection in the calendar exportdata feature caused by a faulty input handling (described as a union SQL injection). This could allow a remote attacker to execute arbitrary SQL commands on the vulnerable system (no authe...
CVE-2013-3213
CVE-2013-3213 affects vtiger CRM 5.0.0–5.4.0, exposing multiple SQL injection vectors via SOAP services. Vulnerable code paths include get_picklists in /soap/customerportal.php, get_tickets_list in /soap/customerportal.php, and SearchContactsByEmail in /soap/thunderbirdplugin.php and /soap/vtiger...
CVE-2025-45753
Vulnerability CVE-2025-45753 affects Vtiger CRM Open Source Edition v8.3.0. An attacker with admin privileges can execute arbitrary PHP code by abusing the ZIP import functionality in the Module Import feature. The entry indicates high impact (C/H/I/A) with a CVSSv3.1 base score of 7.2. Connected...
CVE-2013-3591
Summary of CVE-2013-3591 : The vulnerability affects vTiger CRM versions 5.3 and 5.4, where the attacker can abuse the vulnerable vTiger “files” upload folder to upload a PHP script and achieve arbitrary PHP code execution. Multiple connected sources document an authenticated remote-code-executio...
CVE-2006-4587
The CVE-2006-4587 entry documents multiple XSS flaws in vtiger CRM 4.2.4 (and possibly earlier) that allow remote attackers to inject arbitrary scripts via the (1) description parameter in unspecified modules or the (2) solution parameter in the HelpDesk module. The NVD data lists a CVSS v2 base ...
CVE-2016-4834
VTiger CRM (version 6.4.0 and earlier) is affected by CVE-2016-4834 due to insufficient access control in modules/Users/actions/Save.php, allowing remote authenticated users to create or modify user accounts. The OpenVAS entry corroborates privilege escalation and unrestricted file upload vectors...
CVE-2020-19363
Vtiger CRM v7.2.0 exposes a directory traversal vulnerability in /libraries and /layout directories that allows an unauthenticated attacker to display hidden files and list directories. The issue is confirmed by Nuclei templates (Vtiger CRM v7.2.0 - Directory Listing) describing improper access c...
CVE-2014-2269
CVE-2014-2269 affects vtiger CRM v6.0 prior to Security Patch 2. The vulnerability is in modules/Users/ForgotPassword.php and allows remote attackers to reset the password for arbitrary users by submitting a request containing username, password, and confirmPassword. This is a direct consequence ...
CVE-2019-5009
Vtiger CRM 7.1.0 before Hotfix2 contains a file-upload vulnerability in the logo field: an uploaded PNG image of 150x40 with an extension allowed as php3 can carry PHP code, bypassing the extension filter and enabling code execution via the image (e.g., using PHP tags). Affected files/documented ...
CVE-2011-4559
CVE-2011-4559 affects vtiger CRM (Calendar module) prior to or including vTiger 5.2.1; the vulnerability is a SQL injection in the onlyforuser parameter of the index action (index.php). This allows remote attackers to execute arbitrary SQL commands. Connected records also indicate CVE-2013-5091 a...
CVE-2005-3819
Summary: CVE-2005-3819 affects vtiger CRM up to version 4.2, with SQL injection vulnerabilities in the HelpDesk module that enable remote attackers to inject arbitrary SQL and bypass authentication via the (1) user_name and (2) date parameters. This is corroborated by multiple vulnerability feeds...
CVE-2007-3603
CVE-2007-3603 affects vtiger CRM prior to 5.0.3. A SQL injection vulnerability exists in the dashboard (include/utils/SearchUtils.php) allowing remote authenticated users to execute arbitrary SQL via the assigned_user_id parameter in a Potentials ListView action to index.php. This is supported by...
CVE-2011-4670
CVE-2011-4670 affects vtiger CRM up to version 5.2.1 (and earlier per sources) where multiple XSS vectors exist in the Calendar, DetailView, EditView, ListView, and other modules (Calendar, Campaigns, com_vtiger_workflow, Dashboard, Potentials, Reports, Settings, Home, phprint.php). The root caus...
CVE-2025-45755
Vulnerable software: Vtiger CRM Open Source Edition v8.3.0. The issue is a Stored Cross-Site Scripting (XSS) vulnerability exploitable via the Services Import feature. An attacker can craft a malicious CSV file containing an XSS payload mapped to the Service Name field; when uploaded, the applica...
CVE-2006-4588
vtiger CRM 4.2.4 (and possibly earlier) contains an authentication-bypass vulnerability that lets remote attackers access administrative modules by issuing a direct request to index.php with a modified module parameter, demonstrated via the Settings module. Root cause: improper validation of the ...
CVE-2007-3604
CVE-2007-3604 affects vtiger CRM prior to 5.0.3. The issue allows remote authenticated users with access to the Analytics Dashboard to bypass data restrictions and read the pipeline of the entire organization, potentially involving modules/Potentials/Potentials.php. The available documents do not...
CVE-2012-4867
CVE-2012-4867 affects vtiger CRM 5.1.0: directory traversal via .. in the module_name parameter of sortfieldsjson.php allows reading arbitrary files (Local File Include). Root cause: unsanitized user input. Several connected sources (Red Hat, NVD, CIRCL, OpenVAS, etc.) consistently describe a VTi...
CVE-2024-54687
Vtiger CRM v6.1 and earlier is vulnerable to Cross-Site Scripting (XSS) via the Documents module, specifically through the uploadAndSaveFile function in CRMEntity.php. The underlying cause is an XSS flaw in that path, enabling injected payloads to execute in affected users’ browsers. Public detai...
CVE-2009-3249
CVE-2009-3249 pertains to vtiger CRM 5.0.4 and involves multiple directory traversal/remote file inclusion weaknesses. Technical details from the sources confirm: Vulnerabilities in graph.php via the module parameter and in include/Ajax/CommonAjax.php via module/file, reachable through modules li...
CVE-2010-3909
Vtiger CRM (5.2.0 and potentially earlier) contains an incomplete blacklist vulnerability in config.template.php that, via the draft save feature in Compose Mail, allows a remote authenticated user to upload a .phtml file and then access it from storage/ to execute code. The issue enables Remote ...
CVE-2022-38335
CVE-2022-38335 affects Vtiger CRM v7.4.0 with a stored XSS vulnerability in the Email Templates module. The root cause is insufficient input filtering/escaping in the module, allowing attacker-supplied data to be stored and later executed in the context of the affected user. The CVSS v3.1 base sc...
CVE-2023-46304
Vtiger CRM 7.5.0 contains a vulnerability in modules/Users/models/Module.php where an unprotected endpoint allows a remote authenticated attacker to write arbitrary PHP code to config.inc.php, which is then executed on every page load. The issue enables remote code execution by leveraging this pa...
CVE-2024-44777
vTiger CRM 7.4.0 is affected by a reflected XSS in the tag parameter on the index page, enabling an attacker to execute arbitrary code in a user’s browser. The vulnerability is described across multiple sources (RH and NVD/NVD-derived records) with attacker-controlled payloads triggering code exe...
CVE-2005-3822
CVE-2005-3822 affects vTiger CRM 4.2 and earlier, with multiple SQL injection flaws allowing remote attackers to run arbitrary SQL via the login form username or the EditView–Contacts record parameter. The NVD entry lists a CVSS v2 base score of 7.5 (HIGH) with network access, minimal authenticat...
CVE-2008-3101
CVE-2008-3101 affects vtiger CRM 5.0.4. The vulnerability consists of multiple XSS flaws triggered by unvalidated input in index.php across three paths: (1) Products module, index action via the parenttab parameter; (2) Users module, Authenticate action via the user_password parameter; (3) Home m...
CVE-2009-3247
CVE-2009-3247 : vtiger CRM 5.0.4 contains a Cross-site scripting (XSS) vulnerability in the Activities module, exploitable via the action parameter to phprint.php. The issue’s impact is described as injecting arbitrary web script/HTML into user sessions, with the note that the query_string vector...
CVE-2009-3248
The CVE-2009-3248 entry describes a CSRF vulnerability in the vtiger CRM 5.0.4 RSS module . The flaw allows remote attackers to hijack the authentication of Admin users by crafting requests to index.php with the rssurl parameter in a Save action, enabling modification of the news feed system. The...
CVE-2005-3820
vTiger CRM <= 4.2 is affected by multiple directory traversal vulnerabilities in index.php (Leads module) where, due to improper handling of .. and null byte sequences in the module and action parameters, an attacker can read or include arbitrary files and potentially execute PHP code. The iss...
CVE-2009-3257
CVE-2009-3257 in vtiger CRM affects vtiger CRM before 5.1.0. The vulnerability arises when remote authenticated users can bypass permissions on profile fields (Account Billing Address and Shipping Address) by creating a Sales Order associated with that profile. The description implies a permissio...
CVE-2024-44778
CVE-2024-44778 is a reflected XSS in the parent parameter of the vTiger CRM 7.4.0 index page. The vulnerability allows an attacker to execute arbitrary code in the context of a user’s browser by injecting a crafted payload, with PoCs circulating (e.g., a provided demo/PoC URL). Public references ...
CVE-2005-3818
The CVE-2005-3818 entry concerns vTiger CRM, affected in versions up to 4.2 and earlier, with multiple XSS flaws that allow attacker-supplied HTML/JS via various input fields (including contact, lead, first/last name), the Leads module DetailView record parameter, $_SERVER['PHP_SELF'], and RSS fe...
CVE-2005-3821
CVE-2005-3821 is an XSS vulnerability affecting vTiger CRM 4.2 and earlier. The exposed component is the web application, with arbitrary script/HTML injection possible via multiple vectors, including the account name. Connected sources corroborate multiple VTiger-related advisories and OpenVAS/Ne...
CVE-2005-3824
The CVE-2005-3824 entry concerns vTiger CRM 4.2 and earlier, where the uploads module (via add2db action) allows remote attackers to upload arbitrary files, including PHP scripts. This is an arbitrary file upload vulnerability in the uploads module, enabling potential remote execution or hosting ...
CVE-2007-3602
The CVE concerns vtiger CRM’s SOAP webservice prior to 5.0.3. The vulnerability arises because the service does not verify that authenticated accounts are active, allowing remote authenticated users with inactive accounts to access and modify data, as demonstrated by the Thunderbird plugin. Affec...
CVE-2009-3250
The CVE-2009-3250 issue affects vtiger CRM 5.0.4, where the saveForwardAttachments function in Compose Mail lets remote authenticated users execute arbitrary code by attaching a filename ending in .php (varying by Apache config/OS) and then requesting a path under storage/. The connected document...
CVE-2020-19362
CVE-2020-19362 describes a reflected Cross-Site Scripting flaw in Vtiger CRM v7.2.0. The vulnerability occurs in vtigercrm/index.php? (view parameter) due to insufficient validation of client-side data by the web application, enabling an attacker to craft a link that could perform malicious actio...
CVE-2007-3617
The CVE-2007-3617 issue affects vtiger CRM prior to 5.0.3, where the report module fails to enforce security rules. This allows remote authenticated users to read arbitrary private module entries via the report functionality. Affected component: vtiger CRM report module; root cause: improper appl...