Vtiger Crm@4.2 Security Vulnerabilities and Issues — Vtiger Crm@4.2 CVE List

Lucene search

VtigerVtiger Crm4.2

11 matches found

CVE•added 2013/10/04 8:55 p.m.•60 views

CVE-2013-5091

SQL injection vulnerability in CalendarCommon.php in vTiger CRM 5.4.0 and possibly earlier allows remote authenticated users to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php. NOTE: this issue might be a duplicate of CVE-2011-4559.

6.5CVSS8AI score0.01004EPSS

CVE•added 2010/11/26 8:0 p.m.•56 views

CVE-2010-3910

Multiple directory traversal vulnerabilities in the return_application_language function in include/utils/utils.php in vtiger CRM before 5.2.1 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the lang_crm parameter to phprint.php or (2) the current_langu...

6.8CVSS7.3AI score0.01489EPSS

CVE•added 2014/11/16 1:59 a.m.•56 views

CVE-2014-2268

views/Index.php in the Install module in vTiger 6.0 before Security Patch 2 does not properly restrict access, which allows remote attackers to re-install the application via a request that sets the X-Requested-With HTTP header, as demonstrated by executing arbitrary PHP code via the db_name parame...

5CVSS6.9AI score0.77294EPSS

CVE•added 2006/09/06 10:4 p.m.•48 views

CVE-2006-4588

vtiger CRM 4.2.4, and possibly earlier, allows remote attackers to bypass authentication and access administrative modules via a direct request to index.php with a modified module parameter, as demonstrated using the Settings module.

7.5CVSS7.4AI score0.00811EPSS

CVE•added 2006/09/06 10:4 p.m.•47 views

CVE-2006-4587

Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM 4.2.4, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) description parameter in unspecified modules or the (2) solution parameter in the HelpDesk module.

6.8CVSS6.1AI score0.0157EPSS

CVE•added 2010/11/26 8:0 p.m.•45 views

CVE-2010-3909

Incomplete blacklist vulnerability in config.template.php in vtiger CRM before 5.2.1 allows remote authenticated users to execute arbitrary code by using the draft save feature in the Compose Mail component to upload a file with a .phtml extension, and then accessing this file via a direct request ...

6CVSS7.5AI score0.02627EPSS

CVE•added 2011/11/28 9:55 p.m.•44 views

CVE-2011-4559

SQL injection vulnerability in the Calendar module in vTiger CRM 5.2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php.

7.5CVSS8.6AI score0.01004EPSS

CVE•added 2010/11/26 8:0 p.m.•39 views

CVE-2010-3911

Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM before 5.2.1 allow remote attackers to inject arbitrary web script or HTML via (1) the username (aka default_user_name) field or (2) the password field in a Users Login action to index.php, or (3) the label parameter in a Settings Ge...

4.3CVSS6AI score0.00365EPSS

CVE•added 2006/10/13 8:7 p.m.•35 views

CVE-2006-5289

Multiple PHP remote file inclusion vulnerabilities in Vtiger CRM 4.2 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the calpath parameter to (1) modules/Calendar/admin/update.php, (2) modules/Calendar/admin/scheme.php, or (3) modules/Calendar/calendar.php.

7.5CVSS7.6AI score0.12101EPSS

CVE•added 2009/09/18 9:30 p.m.•35 views

CVE-2009-3258

vtiger CRM before 5.1.0 allows remote authenticated users, with certain View privileges, to delete (1) attachments, (2) reports, (3) filters, (4) views, and (5) tickets; insert (6) attachments, (7) reports, (8) filters, (9) views, and (10) tickets; and edit (11) reports, (12) filters, (13) views, a...

9CVSS6.3AI score0.0044EPSS

CVE•added 2011/12/07 7:55 p.m.•35 views

CVE-2011-4680

Multiple cross-site scripting (XSS) vulnerabilities in the customer portal in vtiger CRM before 5.2.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3CVSS5.8AI score0.00263EPSS