Vulnerabilites related to vtiger - vtiger_crm
CVE-2009-3250 (GCVE-0-2009-3250)
Vulnerability from cvelistv5
Published
2009-09-18 20:00
Modified
2024-08-07 06:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The saveForwardAttachments procedure in the Compose Mail functionality in vtiger CRM 5.0.4 allows remote authenticated users to execute arbitrary code by composing an e-mail message with an attachment filename ending in (1) .php in installations based on certain Apache HTTP Server configurations, (2) .php. on Windows, or (3) .php/ on Linux, and then making a direct request to a certain pathname under storage/.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.ush.it/2009/08/18/vtiger-crm-504-multiple-vulnerabilities/ | x_refsource_MISC | |
| http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt | x_refsource_MISC | |
| http://www.exploit-db.com/exploits/9450 | exploit, x_refsource_EXPLOIT-DB | |
| http://marc.info/?l=bugtraq&m=125060676515670&w=2 | mailing-list, x_refsource_BUGTRAQ | |
| http://www.securityfocus.com/bid/36062 | vdb-entry, x_refsource_BID | |
| http://secunia.com/advisories/36309 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.osvdb.org/57237 | vdb-entry, x_refsource_OSVDB | |
| http://www.vupen.com/english/advisories/2009/2319 | vdb-entry, x_refsource_VUPEN |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T06:22:24.252Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.ush.it/2009/08/18/vtiger-crm-504-multiple-vulnerabilities/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt"
},
{
"name": "9450",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/9450"
},
{
"name": "20090818 Vtiger CRM 5.0.4 Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=125060676515670\u0026w=2"
},
{
"name": "36062",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/36062"
},
{
"name": "36309",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/36309"
},
{
"name": "57237",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/57237"
},
{
"name": "ADV-2009-2319",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2009/2319"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2009-08-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The saveForwardAttachments procedure in the Compose Mail functionality in vtiger CRM 5.0.4 allows remote authenticated users to execute arbitrary code by composing an e-mail message with an attachment filename ending in (1) .php in installations based on certain Apache HTTP Server configurations, (2) .php. on Windows, or (3) .php/ on Linux, and then making a direct request to a certain pathname under storage/."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-18T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.ush.it/2009/08/18/vtiger-crm-504-multiple-vulnerabilities/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt"
},
{
"name": "9450",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/9450"
},
{
"name": "20090818 Vtiger CRM 5.0.4 Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://marc.info/?l=bugtraq\u0026m=125060676515670\u0026w=2"
},
{
"name": "36062",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/36062"
},
{
"name": "36309",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/36309"
},
{
"name": "57237",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/57237"
},
{
"name": "ADV-2009-2319",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2009/2319"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2009-3250",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The saveForwardAttachments procedure in the Compose Mail functionality in vtiger CRM 5.0.4 allows remote authenticated users to execute arbitrary code by composing an e-mail message with an attachment filename ending in (1) .php in installations based on certain Apache HTTP Server configurations, (2) .php. on Windows, or (3) .php/ on Linux, and then making a direct request to a certain pathname under storage/."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.ush.it/2009/08/18/vtiger-crm-504-multiple-vulnerabilities/",
"refsource": "MISC",
"url": "http://www.ush.it/2009/08/18/vtiger-crm-504-multiple-vulnerabilities/"
},
{
"name": "http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt",
"refsource": "MISC",
"url": "http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt"
},
{
"name": "9450",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/9450"
},
{
"name": "20090818 Vtiger CRM 5.0.4 Multiple Vulnerabilities",
"refsource": "BUGTRAQ",
"url": "http://marc.info/?l=bugtraq\u0026m=125060676515670\u0026w=2"
},
{
"name": "36062",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/36062"
},
{
"name": "36309",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/36309"
},
{
"name": "57237",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/57237"
},
{
"name": "ADV-2009-2319",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2009/2319"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2009-3250",
"datePublished": "2009-09-18T20:00:00",
"dateReserved": "2009-09-18T00:00:00",
"dateUpdated": "2024-08-07T06:22:24.252Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2009-3257 (GCVE-0-2009-3257)
Vulnerability from cvelistv5
Published
2009-09-18 21:00
Modified
2024-09-16 19:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
vtiger CRM before 5.1.0 allows remote authenticated users to bypass the permissions on the (1) Account Billing Address and (2) Shipping Address fields in a profile by creating a Sales Order (SO) associated with that profile.
References
| ▼ | URL | Tags |
|---|---|---|
| http://secunia.com/advisories/36309 | third-party-advisory, x_refsource_SECUNIA | |
| http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5055 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T06:22:24.010Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "36309",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/36309"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5055"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "vtiger CRM before 5.1.0 allows remote authenticated users to bypass the permissions on the (1) Account Billing Address and (2) Shipping Address fields in a profile by creating a Sales Order (SO) associated with that profile."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2009-09-18T21:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "36309",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/36309"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5055"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2009-3257",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "vtiger CRM before 5.1.0 allows remote authenticated users to bypass the permissions on the (1) Account Billing Address and (2) Shipping Address fields in a profile by creating a Sales Order (SO) associated with that profile."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "36309",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/36309"
},
{
"name": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5055",
"refsource": "CONFIRM",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5055"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2009-3257",
"datePublished": "2009-09-18T21:00:00Z",
"dateReserved": "2009-09-18T00:00:00Z",
"dateUpdated": "2024-09-16T19:57:02.673Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-10754 (GCVE-0-2016-10754)
Vulnerability from cvelistv5
Published
2019-05-24 17:40
Modified
2024-08-06 03:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
modules/Calendar/Activity.php in Vtiger CRM 6.5.0 allows SQL injection via the contactidlist parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://demo.ripstech.com/projects/vtiger_6.5.0 | x_refsource_MISC | |
| https://blog.ripstech.com/2016/vtiger-sql-injection/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:30:20.179Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://demo.ripstech.com/projects/vtiger_6.5.0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.ripstech.com/2016/vtiger-sql-injection/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "modules/Calendar/Activity.php in Vtiger CRM 6.5.0 allows SQL injection via the contactidlist parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-24T17:40:48",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://demo.ripstech.com/projects/vtiger_6.5.0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.ripstech.com/2016/vtiger-sql-injection/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-10754",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "modules/Calendar/Activity.php in Vtiger CRM 6.5.0 allows SQL injection via the contactidlist parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://demo.ripstech.com/projects/vtiger_6.5.0",
"refsource": "MISC",
"url": "https://demo.ripstech.com/projects/vtiger_6.5.0"
},
{
"name": "https://blog.ripstech.com/2016/vtiger-sql-injection/",
"refsource": "MISC",
"url": "https://blog.ripstech.com/2016/vtiger-sql-injection/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-10754",
"datePublished": "2019-05-24T17:40:48",
"dateReserved": "2019-05-24T00:00:00",
"dateUpdated": "2024-08-06T03:30:20.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2011-4559 (GCVE-0-2011-4559)
Vulnerability from cvelistv5
Published
2011-11-28 21:00
Modified
2024-08-07 00:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
SQL injection vulnerability in the Calendar module in vTiger CRM 5.2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/archive/1/520006/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://seclists.org/fulldisclosure/2011/Oct/224 | mailing-list, x_refsource_FULLDISC | |
| http://www.securityfocus.com/bid/49948 | vdb-entry, x_refsource_BID | |
| http://yehg.net/lab/pr0js/advisories/%5BvTiger_5.2.1%5D_blind_sqlin | x_refsource_MISC | |
| http://osvdb.org/76138 | vdb-entry, x_refsource_OSVDB | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/70344 | vdb-entry, x_refsource_XF |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T00:09:18.957Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20111005 vTiger CRM 5.2.x \u003c= Blind SQL Injection Vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/520006/100/0/threaded"
},
{
"name": "20111005 vTiger CRM 5.2.x \u003c= Blind SQL Injection Vulnerability",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2011/Oct/224"
},
{
"name": "49948",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/49948"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://yehg.net/lab/pr0js/advisories/%5BvTiger_5.2.1%5D_blind_sqlin"
},
{
"name": "76138",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/76138"
},
{
"name": "vtigercrm-index-sql-injection(70344)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/70344"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2011-10-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in the Calendar module in vTiger CRM 5.2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20111005 vTiger CRM 5.2.x \u003c= Blind SQL Injection Vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/520006/100/0/threaded"
},
{
"name": "20111005 vTiger CRM 5.2.x \u003c= Blind SQL Injection Vulnerability",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2011/Oct/224"
},
{
"name": "49948",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/49948"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://yehg.net/lab/pr0js/advisories/%5BvTiger_5.2.1%5D_blind_sqlin"
},
{
"name": "76138",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/76138"
},
{
"name": "vtigercrm-index-sql-injection(70344)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/70344"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2011-4559",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in the Calendar module in vTiger CRM 5.2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20111005 vTiger CRM 5.2.x \u003c= Blind SQL Injection Vulnerability",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/520006/100/0/threaded"
},
{
"name": "20111005 vTiger CRM 5.2.x \u003c= Blind SQL Injection Vulnerability",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2011/Oct/224"
},
{
"name": "49948",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/49948"
},
{
"name": "http://yehg.net/lab/pr0js/advisories/%5BvTiger_5.2.1%5D_blind_sqlin",
"refsource": "MISC",
"url": "http://yehg.net/lab/pr0js/advisories/%5BvTiger_5.2.1%5D_blind_sqlin"
},
{
"name": "76138",
"refsource": "OSVDB",
"url": "http://osvdb.org/76138"
},
{
"name": "vtigercrm-index-sql-injection(70344)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/70344"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2011-4559",
"datePublished": "2011-11-28T21:00:00",
"dateReserved": "2011-11-28T00:00:00",
"dateUpdated": "2024-08-07T00:09:18.957Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2009-3251 (GCVE-0-2009-3251)
Vulnerability from cvelistv5
Published
2009-09-18 20:00
Modified
2024-09-17 02:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
include/utils/ListViewUtils.php in vtiger CRM before 5.1.0 allows remote authenticated users to bypass intended access restrictions and read the (1) visibility, (2) location, and (3) recurrence fields of a calendar via a custom view.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.osvdb.org/57241 | vdb-entry, x_refsource_OSVDB | |
| http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/4208 | x_refsource_CONFIRM | |
| http://secunia.com/advisories/36309 | third-party-advisory, x_refsource_SECUNIA | |
| http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/12407 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T06:22:24.016Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "57241",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/57241"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/4208"
},
{
"name": "36309",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/36309"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/12407"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "include/utils/ListViewUtils.php in vtiger CRM before 5.1.0 allows remote authenticated users to bypass intended access restrictions and read the (1) visibility, (2) location, and (3) recurrence fields of a calendar via a custom view."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2009-09-18T20:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "57241",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/57241"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/4208"
},
{
"name": "36309",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/36309"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/12407"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2009-3251",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "include/utils/ListViewUtils.php in vtiger CRM before 5.1.0 allows remote authenticated users to bypass intended access restrictions and read the (1) visibility, (2) location, and (3) recurrence fields of a calendar via a custom view."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "57241",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/57241"
},
{
"name": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/4208",
"refsource": "CONFIRM",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/4208"
},
{
"name": "36309",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/36309"
},
{
"name": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/12407",
"refsource": "CONFIRM",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/12407"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2009-3251",
"datePublished": "2009-09-18T20:00:00Z",
"dateReserved": "2009-09-18T00:00:00Z",
"dateUpdated": "2024-09-17T02:01:47.464Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-1222 (GCVE-0-2014-1222)
Vulnerability from cvelistv5
Published
2014-08-12 23:00
Modified
2024-08-06 09:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Directory traversal vulnerability in kcfinder/browse.php in Vtiger CRM before 6.0.0 Security patch 1 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter in a download action. NOTE: it is likely that this issue is actually in the KCFinder third-party component, and it affects additional products besides Vtiger CRM.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-1222/ | x_refsource_MISC | |
| http://www.securityfocus.com/archive/1/531423/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%206.0.0/Add-ons/vtigercrm-600-security-patch1.zip/download | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:34:40.889Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-1222/"
},
{
"name": "20140312 CVE-2014-1222 - Local File Inclusion in Vtiger CRM",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/531423/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%206.0.0/Add-ons/vtigercrm-600-security-patch1.zip/download"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-03-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in kcfinder/browse.php in Vtiger CRM before 6.0.0 Security patch 1 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter in a download action. NOTE: it is likely that this issue is actually in the KCFinder third-party component, and it affects additional products besides Vtiger CRM."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-1222/"
},
{
"name": "20140312 CVE-2014-1222 - Local File Inclusion in Vtiger CRM",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/531423/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%206.0.0/Add-ons/vtigercrm-600-security-patch1.zip/download"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-1222",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in kcfinder/browse.php in Vtiger CRM before 6.0.0 Security patch 1 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter in a download action. NOTE: it is likely that this issue is actually in the KCFinder third-party component, and it affects additional products besides Vtiger CRM."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-1222/",
"refsource": "MISC",
"url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-1222/"
},
{
"name": "20140312 CVE-2014-1222 - Local File Inclusion in Vtiger CRM",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/531423/100/0/threaded"
},
{
"name": "http://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%206.0.0/Add-ons/vtigercrm-600-security-patch1.zip/download",
"refsource": "CONFIRM",
"url": "http://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%206.0.0/Add-ons/vtigercrm-600-security-patch1.zip/download"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-1222",
"datePublished": "2014-08-12T23:00:00",
"dateReserved": "2014-01-07T00:00:00",
"dateUpdated": "2024-08-06T09:34:40.889Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-3212 (GCVE-0-2013-3212)
Vulnerability from cvelistv5
Published
2020-01-28 20:23
Modified
2024-08-06 16:00
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
vtiger CRM 5.4.0 and earlier contain local file-include vulnerabilities in 'customerportal.php' which allows remote attackers to view files and execute local script code.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.exploit-db.com/exploits/27279 | exploit, x_refsource_EXPLOIT-DB | |
| http://www.securityfocus.com/bid/61560 | vdb-entry, x_refsource_BID | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/86162 | vdb-entry, x_refsource_XF |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:00:10.139Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "27279",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/27279"
},
{
"name": "61560",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/61560"
},
{
"name": "86162",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86162"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-08-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "vtiger CRM 5.4.0 and earlier contain local file-include vulnerabilities in \u0027customerportal.php\u0027 which allows remote attackers to view files and execute local script code."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-28T20:23:20",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "27279",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/27279"
},
{
"name": "61560",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/61560"
},
{
"name": "86162",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86162"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-3212",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "vtiger CRM 5.4.0 and earlier contain local file-include vulnerabilities in \u0027customerportal.php\u0027 which allows remote attackers to view files and execute local script code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "27279",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/27279"
},
{
"name": "61560",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/61560"
},
{
"name": "86162",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86162"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-3212",
"datePublished": "2020-01-28T20:23:20",
"dateReserved": "2013-04-20T00:00:00",
"dateUpdated": "2024-08-06T16:00:10.139Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-3213 (GCVE-0-2013-3213)
Vulnerability from cvelistv5
Published
2014-04-02 14:00
Modified
2024-08-06 16:00
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple SQL injection vulnerabilities in vTiger CRM 5.0.0 through 5.4.0 allow remote attackers to execute arbitrary SQL commands via the (1) picklist_name parameter in the get_picklists method to soap/customerportal.php, (2) where parameter in the get_tickets_list method to soap/customerportal.php, or (3) emailaddress parameter in the SearchContactsByEmail method to soap/vtigerolservice.php; or remote authenticated users to execute arbitrary SQL commands via the (4) emailaddress parameter in the SearchContactsByEmail method to soap/thunderbirdplugin.php.
References
| ▼ | URL | Tags |
|---|---|---|
| http://karmainsecurity.com/KIS-2013-06 | x_refsource_MISC | |
| http://archives.neohapsis.com/archives/bugtraq/2013-08/0001.html | mailing-list, x_refsource_BUGTRAQ | |
| https://www.vtiger.com/blogs/?p=1467 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/61563 | vdb-entry, x_refsource_BID | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/86129 | vdb-entry, x_refsource_XF |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:00:10.095Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://karmainsecurity.com/KIS-2013-06"
},
{
"name": "20130801 [KIS-2013-06] vtiger CRM \u003c= 5.4.0 (SOAP Services) Multiple SQL Injection Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-08/0001.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.vtiger.com/blogs/?p=1467"
},
{
"name": "61563",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/61563"
},
{
"name": "vtigercrm-cve20133213-multiple-sql-injection(86129)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86129"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-08-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in vTiger CRM 5.0.0 through 5.4.0 allow remote attackers to execute arbitrary SQL commands via the (1) picklist_name parameter in the get_picklists method to soap/customerportal.php, (2) where parameter in the get_tickets_list method to soap/customerportal.php, or (3) emailaddress parameter in the SearchContactsByEmail method to soap/vtigerolservice.php; or remote authenticated users to execute arbitrary SQL commands via the (4) emailaddress parameter in the SearchContactsByEmail method to soap/thunderbirdplugin.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://karmainsecurity.com/KIS-2013-06"
},
{
"name": "20130801 [KIS-2013-06] vtiger CRM \u003c= 5.4.0 (SOAP Services) Multiple SQL Injection Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-08/0001.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.vtiger.com/blogs/?p=1467"
},
{
"name": "61563",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/61563"
},
{
"name": "vtigercrm-cve20133213-multiple-sql-injection(86129)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86129"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-3213",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple SQL injection vulnerabilities in vTiger CRM 5.0.0 through 5.4.0 allow remote attackers to execute arbitrary SQL commands via the (1) picklist_name parameter in the get_picklists method to soap/customerportal.php, (2) where parameter in the get_tickets_list method to soap/customerportal.php, or (3) emailaddress parameter in the SearchContactsByEmail method to soap/vtigerolservice.php; or remote authenticated users to execute arbitrary SQL commands via the (4) emailaddress parameter in the SearchContactsByEmail method to soap/thunderbirdplugin.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://karmainsecurity.com/KIS-2013-06",
"refsource": "MISC",
"url": "http://karmainsecurity.com/KIS-2013-06"
},
{
"name": "20130801 [KIS-2013-06] vtiger CRM \u003c= 5.4.0 (SOAP Services) Multiple SQL Injection Vulnerabilities",
"refsource": "BUGTRAQ",
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-08/0001.html"
},
{
"name": "https://www.vtiger.com/blogs/?p=1467",
"refsource": "CONFIRM",
"url": "https://www.vtiger.com/blogs/?p=1467"
},
{
"name": "61563",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/61563"
},
{
"name": "vtigercrm-cve20133213-multiple-sql-injection(86129)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86129"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-3213",
"datePublished": "2014-04-02T14:00:00",
"dateReserved": "2013-04-20T00:00:00",
"dateUpdated": "2024-08-06T16:00:10.095Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2008-3458 (GCVE-0-2008-3458)
Vulnerability from cvelistv5
Published
2008-08-04 19:00
Modified
2024-09-16 16:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Vtiger CRM before 5.0.4 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read mail merge templates via a direct request to the wordtemplatedownload directory.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/27228 | vdb-entry, x_refsource_BID | |
| http://sourceforge.net/project/shownotes.php?release_id=567189 | x_refsource_CONFIRM | |
| http://www.osvdb.org/40218 | vdb-entry, x_refsource_OSVDB | |
| http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2107 | x_refsource_CONFIRM | |
| http://wiki.vtiger.com/index.php/Vtiger_CRM_5.0.4_-_Release_Notes | x_refsource_CONFIRM | |
| http://secunia.com/advisories/28370 | third-party-advisory, x_refsource_SECUNIA | |
| http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/11811 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T09:37:27.156Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "27228",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/27228"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://sourceforge.net/project/shownotes.php?release_id=567189"
},
{
"name": "40218",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/40218"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2107"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://wiki.vtiger.com/index.php/Vtiger_CRM_5.0.4_-_Release_Notes"
},
{
"name": "28370",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/28370"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/11811"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vtiger CRM before 5.0.4 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read mail merge templates via a direct request to the wordtemplatedownload directory."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2008-08-04T19:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "27228",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/27228"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://sourceforge.net/project/shownotes.php?release_id=567189"
},
{
"name": "40218",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/40218"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2107"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://wiki.vtiger.com/index.php/Vtiger_CRM_5.0.4_-_Release_Notes"
},
{
"name": "28370",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/28370"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/11811"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-3458",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vtiger CRM before 5.0.4 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read mail merge templates via a direct request to the wordtemplatedownload directory."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "27228",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/27228"
},
{
"name": "http://sourceforge.net/project/shownotes.php?release_id=567189",
"refsource": "CONFIRM",
"url": "http://sourceforge.net/project/shownotes.php?release_id=567189"
},
{
"name": "40218",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/40218"
},
{
"name": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2107",
"refsource": "CONFIRM",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2107"
},
{
"name": "http://wiki.vtiger.com/index.php/Vtiger_CRM_5.0.4_-_Release_Notes",
"refsource": "CONFIRM",
"url": "http://wiki.vtiger.com/index.php/Vtiger_CRM_5.0.4_-_Release_Notes"
},
{
"name": "28370",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/28370"
},
{
"name": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/11811",
"refsource": "MISC",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/11811"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-3458",
"datePublished": "2008-08-04T19:00:00Z",
"dateReserved": "2008-08-04T00:00:00Z",
"dateUpdated": "2024-09-16T16:18:19.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2005-3818 (GCVE-0-2005-3818)
Vulnerability from cvelistv5
Published
2005-11-26 02:00
Modified
2024-08-07 23:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) various input fields, including the contact, lead, and first or last name fields, (2) the record parameter in a DetailView action in the Leads module for index.php, (3) the $_SERVER['PHP_SELF'] variable, which is used in multiple locations such as index.php, and (4) aggregated RSS feeds in the RSS aggregation module.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.vupen.com/english/advisories/2005/2569 | vdb-entry, x_refsource_VUPEN | |
| http://www.hardened-php.net/advisory_232005.105.html | x_refsource_MISC | |
| http://www.securityfocus.com/bid/15562 | vdb-entry, x_refsource_BID | |
| http://securitytracker.com/id?1015271 | vdb-entry, x_refsource_SECTRACK | |
| http://www.osvdb.org/21228 | vdb-entry, x_refsource_OSVDB | |
| http://www.securityfocus.com/archive/1/417730/30/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/23363 | vdb-entry, x_refsource_XF | |
| http://www.osvdb.org/21227 | vdb-entry, x_refsource_OSVDB | |
| http://secunia.com/advisories/17693 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.osvdb.org/21230 | vdb-entry, x_refsource_OSVDB | |
| http://www.osvdb.org/21229 | vdb-entry, x_refsource_OSVDB | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/23362 | vdb-entry, x_refsource_XF |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T23:24:36.338Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "ADV-2005-2569",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2005/2569"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.hardened-php.net/advisory_232005.105.html"
},
{
"name": "15562",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/15562"
},
{
"name": "1015271",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://securitytracker.com/id?1015271"
},
{
"name": "21228",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/21228"
},
{
"name": "20051124 Advisory 23/2005: vTiger multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/417730/30/0/threaded"
},
{
"name": "vtiger-rss-xss(23363)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/23363"
},
{
"name": "21227",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/21227"
},
{
"name": "17693",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/17693"
},
{
"name": "21230",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/21230"
},
{
"name": "21229",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/21229"
},
{
"name": "vtiger-multiple-fields-xss(23362)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/23362"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2005-11-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) various input fields, including the contact, lead, and first or last name fields, (2) the record parameter in a DetailView action in the Leads module for index.php, (3) the $_SERVER[\u0027PHP_SELF\u0027] variable, which is used in multiple locations such as index.php, and (4) aggregated RSS feeds in the RSS aggregation module."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-19T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "ADV-2005-2569",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2005/2569"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.hardened-php.net/advisory_232005.105.html"
},
{
"name": "15562",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/15562"
},
{
"name": "1015271",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://securitytracker.com/id?1015271"
},
{
"name": "21228",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/21228"
},
{
"name": "20051124 Advisory 23/2005: vTiger multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/417730/30/0/threaded"
},
{
"name": "vtiger-rss-xss(23363)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/23363"
},
{
"name": "21227",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/21227"
},
{
"name": "17693",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/17693"
},
{
"name": "21230",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/21230"
},
{
"name": "21229",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/21229"
},
{
"name": "vtiger-multiple-fields-xss(23362)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/23362"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2005-3818",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) various input fields, including the contact, lead, and first or last name fields, (2) the record parameter in a DetailView action in the Leads module for index.php, (3) the $_SERVER[\u0027PHP_SELF\u0027] variable, which is used in multiple locations such as index.php, and (4) aggregated RSS feeds in the RSS aggregation module."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "ADV-2005-2569",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2005/2569"
},
{
"name": "http://www.hardened-php.net/advisory_232005.105.html",
"refsource": "MISC",
"url": "http://www.hardened-php.net/advisory_232005.105.html"
},
{
"name": "15562",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/15562"
},
{
"name": "1015271",
"refsource": "SECTRACK",
"url": "http://securitytracker.com/id?1015271"
},
{
"name": "21228",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/21228"
},
{
"name": "20051124 Advisory 23/2005: vTiger multiple vulnerabilities",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/417730/30/0/threaded"
},
{
"name": "vtiger-rss-xss(23363)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/23363"
},
{
"name": "21227",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/21227"
},
{
"name": "17693",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/17693"
},
{
"name": "21230",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/21230"
},
{
"name": "21229",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/21229"
},
{
"name": "vtiger-multiple-fields-xss(23362)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/23362"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2005-3818",
"datePublished": "2005-11-26T02:00:00",
"dateReserved": "2005-11-26T00:00:00",
"dateUpdated": "2024-08-07T23:24:36.338Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2005-3821 (GCVE-0-2005-3821)
Vulnerability from cvelistv5
Published
2005-11-26 02:00
Modified
2024-08-07 23:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in vTiger CRM 4.2 and earlier allows remote attackers to inject arbitrary web script or HTML via multiple vectors, including the account name.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/archive/1/417711/30/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://www.securityfocus.com/bid/15569 | vdb-entry, x_refsource_BID | |
| http://www.vupen.com/english/advisories/2005/2569 | vdb-entry, x_refsource_VUPEN | |
| http://securitytracker.com/id?1015274 | vdb-entry, x_refsource_SECTRACK | |
| http://marc.info/?l=full-disclosure&m=113290708121951&w=2 | mailing-list, x_refsource_FULLDISC | |
| http://www.osvdb.org/21232 | vdb-entry, x_refsource_OSVDB | |
| http://secunia.com/advisories/17693 | third-party-advisory, x_refsource_SECUNIA |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T23:24:36.516Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20051125 SEC Consult SA-20051125-0 :: More Vulnerabilities in vTiger CRM",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/417711/30/0/threaded"
},
{
"name": "15569",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/15569"
},
{
"name": "ADV-2005-2569",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2005/2569"
},
{
"name": "1015274",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://securitytracker.com/id?1015274"
},
{
"name": "20051125 SEC Consult SA-20051125-0 :: More Vulnerabilities in vTiger CRM",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://marc.info/?l=full-disclosure\u0026m=113290708121951\u0026w=2"
},
{
"name": "21232",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/21232"
},
{
"name": "17693",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/17693"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2005-11-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in vTiger CRM 4.2 and earlier allows remote attackers to inject arbitrary web script or HTML via multiple vectors, including the account name."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-19T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20051125 SEC Consult SA-20051125-0 :: More Vulnerabilities in vTiger CRM",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/417711/30/0/threaded"
},
{
"name": "15569",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/15569"
},
{
"name": "ADV-2005-2569",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2005/2569"
},
{
"name": "1015274",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://securitytracker.com/id?1015274"
},
{
"name": "20051125 SEC Consult SA-20051125-0 :: More Vulnerabilities in vTiger CRM",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://marc.info/?l=full-disclosure\u0026m=113290708121951\u0026w=2"
},
{
"name": "21232",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/21232"
},
{
"name": "17693",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/17693"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2005-3821",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in vTiger CRM 4.2 and earlier allows remote attackers to inject arbitrary web script or HTML via multiple vectors, including the account name."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20051125 SEC Consult SA-20051125-0 :: More Vulnerabilities in vTiger CRM",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/417711/30/0/threaded"
},
{
"name": "15569",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/15569"
},
{
"name": "ADV-2005-2569",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2005/2569"
},
{
"name": "1015274",
"refsource": "SECTRACK",
"url": "http://securitytracker.com/id?1015274"
},
{
"name": "20051125 SEC Consult SA-20051125-0 :: More Vulnerabilities in vTiger CRM",
"refsource": "FULLDISC",
"url": "http://marc.info/?l=full-disclosure\u0026m=113290708121951\u0026w=2"
},
{
"name": "21232",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/21232"
},
{
"name": "17693",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/17693"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2005-3821",
"datePublished": "2005-11-26T02:00:00",
"dateReserved": "2005-11-26T00:00:00",
"dateUpdated": "2024-08-07T23:24:36.516Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-4867 (GCVE-0-2012-4867)
Vulnerability from cvelistv5
Published
2012-09-06 17:00
Modified
2024-09-17 01:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Directory traversal vulnerability in modules/com_vtiger_workflow/sortfieldsjson.php in vtiger CRM 5.1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the module_name parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://packetstormsecurity.org/files/111075/Vtiger-5.1.0-Local-File-Inclusion.html | x_refsource_MISC | |
| http://www.exploit-db.com/exploits/18635 | exploit, x_refsource_EXPLOIT-DB |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:50:17.369Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.org/files/111075/Vtiger-5.1.0-Local-File-Inclusion.html"
},
{
"name": "18635",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/18635"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in modules/com_vtiger_workflow/sortfieldsjson.php in vtiger CRM 5.1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the module_name parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-09-06T17:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.org/files/111075/Vtiger-5.1.0-Local-File-Inclusion.html"
},
{
"name": "18635",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/18635"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-4867",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in modules/com_vtiger_workflow/sortfieldsjson.php in vtiger CRM 5.1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the module_name parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://packetstormsecurity.org/files/111075/Vtiger-5.1.0-Local-File-Inclusion.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.org/files/111075/Vtiger-5.1.0-Local-File-Inclusion.html"
},
{
"name": "18635",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/18635"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-4867",
"datePublished": "2012-09-06T17:00:00Z",
"dateReserved": "2012-09-06T00:00:00Z",
"dateUpdated": "2024-09-17T01:56:38.571Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2011-4679 (GCVE-0-2011-4679)
Vulnerability from cvelistv5
Published
2011-12-07 19:00
Modified
2024-09-16 23:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
vtiger CRM before 5.3.0 does not properly recognize the disabled status of a field in the Leads module, which allows remote authenticated users to bypass intended access restrictions by reading a previously created report.
References
| ▼ | URL | Tags |
|---|---|---|
| http://wiki.vtiger.com/index.php/Oct2011:ODUpdate | x_refsource_CONFIRM | |
| http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/7004 | x_refsource_CONFIRM | |
| http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/7003 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T00:16:33.526Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://wiki.vtiger.com/index.php/Oct2011:ODUpdate"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/7004"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/7003"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "vtiger CRM before 5.3.0 does not properly recognize the disabled status of a field in the Leads module, which allows remote authenticated users to bypass intended access restrictions by reading a previously created report."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2011-12-07T19:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://wiki.vtiger.com/index.php/Oct2011:ODUpdate"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/7004"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/7003"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2011-4679",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "vtiger CRM before 5.3.0 does not properly recognize the disabled status of a field in the Leads module, which allows remote authenticated users to bypass intended access restrictions by reading a previously created report."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://wiki.vtiger.com/index.php/Oct2011:ODUpdate",
"refsource": "CONFIRM",
"url": "http://wiki.vtiger.com/index.php/Oct2011:ODUpdate"
},
{
"name": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/7004",
"refsource": "CONFIRM",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/7004"
},
{
"name": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/7003",
"refsource": "CONFIRM",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/7003"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2011-4679",
"datePublished": "2011-12-07T19:00:00Z",
"dateReserved": "2011-12-06T00:00:00Z",
"dateUpdated": "2024-09-16T23:45:30.696Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2007-3616 (GCVE-0-2007-3616)
Vulnerability from cvelistv5
Published
2007-07-06 19:00
Modified
2024-09-17 03:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
index.php in vtiger CRM before 5.0.3 allows remote authenticated users to perform administrative changes to arbitrary profile settings via a certain profilePrivileges action in the Users module.
References
| ▼ | URL | Tags |
|---|---|---|
| http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2237 | x_refsource_CONFIRM | |
| http://trac.vtiger.com/cgi-bin/trac.cgi/report/9 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T14:21:36.416Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2237"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "index.php in vtiger CRM before 5.0.3 allows remote authenticated users to perform administrative changes to arbitrary profile settings via a certain profilePrivileges action in the Users module."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2007-07-06T19:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2237"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2007-3616",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "index.php in vtiger CRM before 5.0.3 allows remote authenticated users to perform administrative changes to arbitrary profile settings via a certain profilePrivileges action in the Users module."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2237",
"refsource": "CONFIRM",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2237"
},
{
"name": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9",
"refsource": "CONFIRM",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2007-3616",
"datePublished": "2007-07-06T19:00:00Z",
"dateReserved": "2007-07-06T00:00:00Z",
"dateUpdated": "2024-09-17T03:32:41.788Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-19363 (GCVE-0-2020-19363)
Vulnerability from cvelistv5
Published
2021-01-20 00:43
Modified
2024-08-04 14:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Vtiger CRM v7.2.0 allows an attacker to display hidden files, list directories by using /libraries and /layout directories.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/EmreOvunc/Vtiger-CRM-Vulnerabilities/ | x_refsource_MISC | |
| https://emreovunc.com/blog/en/vtiger_crm_directorylisting_02.png | x_refsource_MISC | |
| https://emreovunc.com/blog/en/vtiger_crm_directorylisting_01.png | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:08:30.805Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/EmreOvunc/Vtiger-CRM-Vulnerabilities/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://emreovunc.com/blog/en/vtiger_crm_directorylisting_02.png"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://emreovunc.com/blog/en/vtiger_crm_directorylisting_01.png"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vtiger CRM v7.2.0 allows an attacker to display hidden files, list directories by using /libraries and /layout directories."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-20T00:43:54",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/EmreOvunc/Vtiger-CRM-Vulnerabilities/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://emreovunc.com/blog/en/vtiger_crm_directorylisting_02.png"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://emreovunc.com/blog/en/vtiger_crm_directorylisting_01.png"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-19363",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vtiger CRM v7.2.0 allows an attacker to display hidden files, list directories by using /libraries and /layout directories."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/EmreOvunc/Vtiger-CRM-Vulnerabilities/",
"refsource": "MISC",
"url": "https://github.com/EmreOvunc/Vtiger-CRM-Vulnerabilities/"
},
{
"name": "https://emreovunc.com/blog/en/vtiger_crm_directorylisting_02.png",
"refsource": "MISC",
"url": "https://emreovunc.com/blog/en/vtiger_crm_directorylisting_02.png"
},
{
"name": "https://emreovunc.com/blog/en/vtiger_crm_directorylisting_01.png",
"refsource": "MISC",
"url": "https://emreovunc.com/blog/en/vtiger_crm_directorylisting_01.png"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-19363",
"datePublished": "2021-01-20T00:43:54",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:08:30.805Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2006-4617 (GCVE-0-2006-4617)
Vulnerability from cvelistv5
Published
2006-09-07 00:00
Modified
2024-08-07 19:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Unrestricted file upload vulnerability in fileupload.html in vtiger CRM 4.2.4, and possibly earlier versions, allows remote attackers to upload and execute arbitrary files with executable extensions in the /cashe/mails folder.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.security-net.biz/adv/D3906a.txt | x_refsource_MISC | |
| http://www.osvdb.org/28459 | vdb-entry, x_refsource_OSVDB |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T19:14:47.882Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.security-net.biz/adv/D3906a.txt"
},
{
"name": "28459",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/28459"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2006-09-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Unrestricted file upload vulnerability in fileupload.html in vtiger CRM 4.2.4, and possibly earlier versions, allows remote attackers to upload and execute arbitrary files with executable extensions in the /cashe/mails folder."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2006-09-13T09:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.security-net.biz/adv/D3906a.txt"
},
{
"name": "28459",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/28459"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2006-4617",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unrestricted file upload vulnerability in fileupload.html in vtiger CRM 4.2.4, and possibly earlier versions, allows remote attackers to upload and execute arbitrary files with executable extensions in the /cashe/mails folder."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.security-net.biz/adv/D3906a.txt",
"refsource": "MISC",
"url": "http://www.security-net.biz/adv/D3906a.txt"
},
{
"name": "28459",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/28459"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2006-4617",
"datePublished": "2006-09-07T00:00:00",
"dateReserved": "2006-09-06T00:00:00",
"dateUpdated": "2024-08-07T19:14:47.882Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42994 (GCVE-0-2024-42994)
Vulnerability from cvelistv5
Published
2024-08-16 00:00
Modified
2024-08-16 17:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
VTiger CRM <= 8.1.0 does not properly sanitize user input before using it in a SQL statement, leading to a SQL Injection in the "CompanyDetails" operation of the "MailManager" module.
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "vtiger_crm",
"vendor": "vtiger",
"versions": [
{
"lessThanOrEqual": "8.1.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-42994",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-16T17:56:20.836684Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-16T17:58:59.527Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "VTiger CRM \u003c= 8.1.0 does not properly sanitize user input before using it in a SQL statement, leading to a SQL Injection in the \"CompanyDetails\" operation of the \"MailManager\" module."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-16T16:53:05.574356",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.shielder.com/advisories/vtiger-mailmanager-sqli/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-42994",
"datePublished": "2024-08-16T00:00:00",
"dateReserved": "2024-08-05T00:00:00",
"dateUpdated": "2024-08-16T17:58:59.527Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-6000 (GCVE-0-2015-6000)
Vulnerability from cvelistv5
Published
2020-02-06 13:55
Modified
2024-08-06 07:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- File Upload
Summary
Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.3.0 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in test/logo/.
References
| ▼ | URL | Tags |
|---|---|---|
| http://b.fl7.de/2015/09/vtiger-crm-authenticated-rce-cve-2015-6000.html | x_refsource_MISC | |
| https://www.exploit-db.com/exploits/38345/ | x_refsource_MISC | |
| http://www.securityfocus.com//archive/1/536563/100/0/threaded | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Vtiger | Vtiger CRM |
Version: 6.3.0 and earlier |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:06:35.224Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://b.fl7.de/2015/09/vtiger-crm-authenticated-rce-cve-2015-6000.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/38345/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.securityfocus.com//archive/1/536563/100/0/threaded"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vtiger CRM",
"vendor": "Vtiger",
"versions": [
{
"status": "affected",
"version": "6.3.0 and earlier"
}
]
}
],
"datePublic": "2015-09-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.3.0 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in test/logo/."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "File Upload",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-06T13:55:09",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://b.fl7.de/2015/09/vtiger-crm-authenticated-rce-cve-2015-6000.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.exploit-db.com/exploits/38345/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.securityfocus.com//archive/1/536563/100/0/threaded"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"ID": "CVE-2015-6000",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vtiger CRM",
"version": {
"version_data": [
{
"version_value": "6.3.0 and earlier"
}
]
}
}
]
},
"vendor_name": "Vtiger"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.3.0 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in test/logo/."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "File Upload"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://b.fl7.de/2015/09/vtiger-crm-authenticated-rce-cve-2015-6000.html",
"refsource": "MISC",
"url": "http://b.fl7.de/2015/09/vtiger-crm-authenticated-rce-cve-2015-6000.html"
},
{
"name": "https://www.exploit-db.com/exploits/38345/",
"refsource": "MISC",
"url": "https://www.exploit-db.com/exploits/38345/"
},
{
"name": "http://www.securityfocus.com//archive/1/536563/100/0/threaded",
"refsource": "MISC",
"url": "http://www.securityfocus.com//archive/1/536563/100/0/threaded"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2015-6000",
"datePublished": "2020-02-06T13:55:09",
"dateReserved": "2015-08-14T00:00:00",
"dateUpdated": "2024-08-06T07:06:35.224Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-5009 (GCVE-0-2019-5009)
Vulnerability from cvelistv5
Published
2019-01-04 14:00
Modified
2024-09-16 23:52
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension "php3" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using "<? ?>" tags, as demonstrated by a CompanyDetailsSave action. This bypasses the bad-file-extensions protection mechanism. It is related to actions/CompanyDetailsSave.php, actions/UpdateCompanyLogo.php, and models/CompanyDetails.php.
References
| ▼ | URL | Tags |
|---|---|---|
| http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-January/037852.html | x_refsource_MISC | |
| https://pentest.com.tr/exploits/Vtiger-CRM-7-1-0-Remote-Code-Execution.html | x_refsource_MISC | |
| https://www.exploit-db.com/exploits/46065 | exploit, x_refsource_EXPLOIT-DB | |
| http://code.vtiger.com/vtiger/vtigercrm/commit/52fc2fb520ddc55949c2fbedaabd61ddd0109375 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:40:49.181Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-January/037852.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://pentest.com.tr/exploits/Vtiger-CRM-7-1-0-Remote-Code-Execution.html"
},
{
"name": "46065",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/46065"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://code.vtiger.com/vtiger/vtigercrm/commit/52fc2fb520ddc55949c2fbedaabd61ddd0109375"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension \"php3\" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using \"\u003c? ?\u003e\" tags, as demonstrated by a CompanyDetailsSave action. This bypasses the bad-file-extensions protection mechanism. It is related to actions/CompanyDetailsSave.php, actions/UpdateCompanyLogo.php, and models/CompanyDetails.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-01-04T14:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-January/037852.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://pentest.com.tr/exploits/Vtiger-CRM-7-1-0-Remote-Code-Execution.html"
},
{
"name": "46065",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/46065"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://code.vtiger.com/vtiger/vtigercrm/commit/52fc2fb520ddc55949c2fbedaabd61ddd0109375"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-5009",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension \"php3\" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using \"\u003c? ?\u003e\" tags, as demonstrated by a CompanyDetailsSave action. This bypasses the bad-file-extensions protection mechanism. It is related to actions/CompanyDetailsSave.php, actions/UpdateCompanyLogo.php, and models/CompanyDetails.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-January/037852.html",
"refsource": "MISC",
"url": "http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-January/037852.html"
},
{
"name": "https://pentest.com.tr/exploits/Vtiger-CRM-7-1-0-Remote-Code-Execution.html",
"refsource": "MISC",
"url": "https://pentest.com.tr/exploits/Vtiger-CRM-7-1-0-Remote-Code-Execution.html"
},
{
"name": "46065",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/46065"
},
{
"name": "http://code.vtiger.com/vtiger/vtigercrm/commit/52fc2fb520ddc55949c2fbedaabd61ddd0109375",
"refsource": "MISC",
"url": "http://code.vtiger.com/vtiger/vtigercrm/commit/52fc2fb520ddc55949c2fbedaabd61ddd0109375"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-5009",
"datePublished": "2019-01-04T14:00:00Z",
"dateReserved": "2019-01-04T00:00:00Z",
"dateUpdated": "2024-09-16T23:52:10.146Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2010-3911 (GCVE-0-2010-3911)
Vulnerability from cvelistv5
Published
2010-11-26 19:00
Modified
2024-08-07 03:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM before 5.2.1 allow remote attackers to inject arbitrary web script or HTML via (1) the username (aka default_user_name) field or (2) the password field in a Users Login action to index.php, or (3) the label parameter in a Settings GetFieldInfo action to index.php, related to modules/Settings/GetFieldInfo.php.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt | x_refsource_MISC | |
| http://vtiger.com/blogs/2010/11/16/vtiger-crm-521-is-released/ | x_refsource_MISC | |
| http://secunia.com/advisories/42246 | third-party-advisory, x_refsource_SECUNIA | |
| http://wiki.vtiger.com/index.php/Vtiger521:Release_Notes | x_refsource_MISC | |
| http://www.securityfocus.com/archive/1/514846/100/0/threaded | mailing-list, x_refsource_BUGTRAQ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T03:26:12.164Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://vtiger.com/blogs/2010/11/16/vtiger-crm-521-is-released/"
},
{
"name": "42246",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/42246"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://wiki.vtiger.com/index.php/Vtiger521:Release_Notes"
},
{
"name": "20101116 Vtiger CRM 5.2.0 Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/514846/100/0/threaded"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-11-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM before 5.2.1 allow remote attackers to inject arbitrary web script or HTML via (1) the username (aka default_user_name) field or (2) the password field in a Users Login action to index.php, or (3) the label parameter in a Settings GetFieldInfo action to index.php, related to modules/Settings/GetFieldInfo.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-10T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://vtiger.com/blogs/2010/11/16/vtiger-crm-521-is-released/"
},
{
"name": "42246",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/42246"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://wiki.vtiger.com/index.php/Vtiger521:Release_Notes"
},
{
"name": "20101116 Vtiger CRM 5.2.0 Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/514846/100/0/threaded"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2010-3911",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM before 5.2.1 allow remote attackers to inject arbitrary web script or HTML via (1) the username (aka default_user_name) field or (2) the password field in a Users Login action to index.php, or (3) the label parameter in a Settings GetFieldInfo action to index.php, related to modules/Settings/GetFieldInfo.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt",
"refsource": "MISC",
"url": "http://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt"
},
{
"name": "http://vtiger.com/blogs/2010/11/16/vtiger-crm-521-is-released/",
"refsource": "MISC",
"url": "http://vtiger.com/blogs/2010/11/16/vtiger-crm-521-is-released/"
},
{
"name": "42246",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/42246"
},
{
"name": "http://wiki.vtiger.com/index.php/Vtiger521:Release_Notes",
"refsource": "MISC",
"url": "http://wiki.vtiger.com/index.php/Vtiger521:Release_Notes"
},
{
"name": "20101116 Vtiger CRM 5.2.0 Multiple Vulnerabilities",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/514846/100/0/threaded"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2010-3911",
"datePublished": "2010-11-26T19:00:00",
"dateReserved": "2010-10-12T00:00:00",
"dateUpdated": "2024-08-07T03:26:12.164Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2006-4587 (GCVE-0-2006-4587)
Vulnerability from cvelistv5
Published
2006-09-06 22:00
Modified
2024-08-07 19:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM 4.2.4, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) description parameter in unspecified modules or the (2) solution parameter in the HelpDesk module.
References
| ▼ | URL | Tags |
|---|---|---|
| http://secunia.com/advisories/21728 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.security-net.biz/adv/D3906a.txt | x_refsource_MISC | |
| http://www.vupen.com/english/advisories/2006/3444 | vdb-entry, x_refsource_VUPEN | |
| http://www.osvdb.org/28460 | vdb-entry, x_refsource_OSVDB | |
| http://www.securityfocus.com/bid/19829 | vdb-entry, x_refsource_BID | |
| http://www.osvdb.org/28461 | vdb-entry, x_refsource_OSVDB |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T19:14:47.598Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "21728",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/21728"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.security-net.biz/adv/D3906a.txt"
},
{
"name": "ADV-2006-3444",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2006/3444"
},
{
"name": "28460",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/28460"
},
{
"name": "19829",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/19829"
},
{
"name": "28461",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/28461"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2006-09-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM 4.2.4, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) description parameter in unspecified modules or the (2) solution parameter in the HelpDesk module."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2006-09-13T09:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "21728",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/21728"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.security-net.biz/adv/D3906a.txt"
},
{
"name": "ADV-2006-3444",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2006/3444"
},
{
"name": "28460",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/28460"
},
{
"name": "19829",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/19829"
},
{
"name": "28461",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/28461"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2006-4587",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM 4.2.4, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) description parameter in unspecified modules or the (2) solution parameter in the HelpDesk module."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "21728",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/21728"
},
{
"name": "http://www.security-net.biz/adv/D3906a.txt",
"refsource": "MISC",
"url": "http://www.security-net.biz/adv/D3906a.txt"
},
{
"name": "ADV-2006-3444",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2006/3444"
},
{
"name": "28460",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/28460"
},
{
"name": "19829",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/19829"
},
{
"name": "28461",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/28461"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2006-4587",
"datePublished": "2006-09-06T22:00:00",
"dateReserved": "2006-09-06T00:00:00",
"dateUpdated": "2024-08-07T19:14:47.598Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-4834 (GCVE-0-2016-4834)
Vulnerability from cvelistv5
Published
2016-08-01 01:00
Modified
2024-08-06 00:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
modules/Users/actions/Save.php in Vtiger CRM 6.4.0 and earlier does not properly restrict user-save actions, which allows remote authenticated users to create or modify user accounts via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/92076 | vdb-entry, x_refsource_BID | |
| http://jvn.jp/en/jp/JVN01956993/index.html | third-party-advisory, x_refsource_JVN | |
| http://code.vtiger.com/vtiger/vtigercrm/commit/7cdf9941197b4aa58114eafce3ce88fb418eb68c | x_refsource_CONFIRM | |
| http://jvndb.jvn.jp/jvndb/JVNDB-2016-000126 | third-party-advisory, x_refsource_JVNDB | |
| http://www.securitytracker.com/id/1036485 | vdb-entry, x_refsource_SECTRACK |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T00:39:26.311Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "92076",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/92076"
},
{
"name": "JVN#01956993",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "http://jvn.jp/en/jp/JVN01956993/index.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://code.vtiger.com/vtiger/vtigercrm/commit/7cdf9941197b4aa58114eafce3ce88fb418eb68c"
},
{
"name": "JVNDB-2016-000126",
"tags": [
"third-party-advisory",
"x_refsource_JVNDB",
"x_transferred"
],
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2016-000126"
},
{
"name": "1036485",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1036485"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-07-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "modules/Users/actions/Save.php in Vtiger CRM 6.4.0 and earlier does not properly restrict user-save actions, which allows remote authenticated users to create or modify user accounts via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-11-25T20:57:01",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"name": "92076",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/92076"
},
{
"name": "JVN#01956993",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "http://jvn.jp/en/jp/JVN01956993/index.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://code.vtiger.com/vtiger/vtigercrm/commit/7cdf9941197b4aa58114eafce3ce88fb418eb68c"
},
{
"name": "JVNDB-2016-000126",
"tags": [
"third-party-advisory",
"x_refsource_JVNDB"
],
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2016-000126"
},
{
"name": "1036485",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1036485"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2016-4834",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "modules/Users/actions/Save.php in Vtiger CRM 6.4.0 and earlier does not properly restrict user-save actions, which allows remote authenticated users to create or modify user accounts via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "92076",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/92076"
},
{
"name": "JVN#01956993",
"refsource": "JVN",
"url": "http://jvn.jp/en/jp/JVN01956993/index.html"
},
{
"name": "http://code.vtiger.com/vtiger/vtigercrm/commit/7cdf9941197b4aa58114eafce3ce88fb418eb68c",
"refsource": "CONFIRM",
"url": "http://code.vtiger.com/vtiger/vtigercrm/commit/7cdf9941197b4aa58114eafce3ce88fb418eb68c"
},
{
"name": "JVNDB-2016-000126",
"refsource": "JVNDB",
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2016-000126"
},
{
"name": "1036485",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1036485"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2016-4834",
"datePublished": "2016-08-01T01:00:00",
"dateReserved": "2016-05-17T00:00:00",
"dateUpdated": "2024-08-06T00:39:26.311Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2005-3824 (GCVE-0-2005-3824)
Vulnerability from cvelistv5
Published
2005-11-26 02:00
Modified
2024-08-07 23:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The uploads module in vTiger CRM 4.2 and earlier allows remote attackers to upload arbitrary files, such as PHP files, via the add2db action.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/archive/1/417711/30/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://www.securityfocus.com/bid/15569 | vdb-entry, x_refsource_BID | |
| http://www.vupen.com/english/advisories/2005/2569 | vdb-entry, x_refsource_VUPEN | |
| http://securitytracker.com/id?1015274 | vdb-entry, x_refsource_SECTRACK | |
| http://marc.info/?l=full-disclosure&m=113290708121951&w=2 | mailing-list, x_refsource_FULLDISC | |
| http://secunia.com/advisories/17693 | third-party-advisory, x_refsource_SECUNIA |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T23:24:36.381Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20051125 SEC Consult SA-20051125-0 :: More Vulnerabilities in vTiger CRM",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/417711/30/0/threaded"
},
{
"name": "15569",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/15569"
},
{
"name": "ADV-2005-2569",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2005/2569"
},
{
"name": "1015274",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://securitytracker.com/id?1015274"
},
{
"name": "20051125 SEC Consult SA-20051125-0 :: More Vulnerabilities in vTiger CRM",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://marc.info/?l=full-disclosure\u0026m=113290708121951\u0026w=2"
},
{
"name": "17693",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/17693"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2005-11-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The uploads module in vTiger CRM 4.2 and earlier allows remote attackers to upload arbitrary files, such as PHP files, via the add2db action."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-19T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20051125 SEC Consult SA-20051125-0 :: More Vulnerabilities in vTiger CRM",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/417711/30/0/threaded"
},
{
"name": "15569",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/15569"
},
{
"name": "ADV-2005-2569",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2005/2569"
},
{
"name": "1015274",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://securitytracker.com/id?1015274"
},
{
"name": "20051125 SEC Consult SA-20051125-0 :: More Vulnerabilities in vTiger CRM",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://marc.info/?l=full-disclosure\u0026m=113290708121951\u0026w=2"
},
{
"name": "17693",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/17693"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2005-3824",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The uploads module in vTiger CRM 4.2 and earlier allows remote attackers to upload arbitrary files, such as PHP files, via the add2db action."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20051125 SEC Consult SA-20051125-0 :: More Vulnerabilities in vTiger CRM",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/417711/30/0/threaded"
},
{
"name": "15569",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/15569"
},
{
"name": "ADV-2005-2569",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2005/2569"
},
{
"name": "1015274",
"refsource": "SECTRACK",
"url": "http://securitytracker.com/id?1015274"
},
{
"name": "20051125 SEC Consult SA-20051125-0 :: More Vulnerabilities in vTiger CRM",
"refsource": "FULLDISC",
"url": "http://marc.info/?l=full-disclosure\u0026m=113290708121951\u0026w=2"
},
{
"name": "17693",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/17693"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2005-3824",
"datePublished": "2005-11-26T02:00:00",
"dateReserved": "2005-11-26T00:00:00",
"dateUpdated": "2024-08-07T23:24:36.381Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2007-3602 (GCVE-0-2007-3602)
Vulnerability from cvelistv5
Published
2007-07-06 19:00
Modified
2024-09-17 01:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The SOAP webservice in vtiger CRM before 5.0.3 does not ensure that authenticated accounts are active, which allows remote authenticated users with inactive accounts to access and modify data, as demonstrated by the Thunderbird plugin.
References
| ▼ | URL | Tags |
|---|---|---|
| http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/10245 | x_refsource_MISC | |
| http://forums.vtiger.com/viewtopic.php?p=44233 | x_refsource_MISC | |
| http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3084 | x_refsource_CONFIRM | |
| http://trac.vtiger.com/cgi-bin/trac.cgi/report/9 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T14:21:36.410Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/10245"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://forums.vtiger.com/viewtopic.php?p=44233"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3084"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The SOAP webservice in vtiger CRM before 5.0.3 does not ensure that authenticated accounts are active, which allows remote authenticated users with inactive accounts to access and modify data, as demonstrated by the Thunderbird plugin."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2007-07-06T19:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/10245"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://forums.vtiger.com/viewtopic.php?p=44233"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3084"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2007-3602",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The SOAP webservice in vtiger CRM before 5.0.3 does not ensure that authenticated accounts are active, which allows remote authenticated users with inactive accounts to access and modify data, as demonstrated by the Thunderbird plugin."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/10245",
"refsource": "MISC",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/10245"
},
{
"name": "http://forums.vtiger.com/viewtopic.php?p=44233",
"refsource": "MISC",
"url": "http://forums.vtiger.com/viewtopic.php?p=44233"
},
{
"name": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3084",
"refsource": "CONFIRM",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3084"
},
{
"name": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9",
"refsource": "CONFIRM",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2007-3602",
"datePublished": "2007-07-06T19:00:00Z",
"dateReserved": "2007-07-06T00:00:00Z",
"dateUpdated": "2024-09-17T01:10:29.240Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2011-4670 (GCVE-0-2011-4670)
Vulnerability from cvelistv5
Published
2011-12-02 16:00
Modified
2024-08-07 00:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 5.2.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) viewname parameter in a CalendarAjax action, (2) activity_mode parameter in a DetailView action, (3) contact_id and (4) parent_id parameters in an EditView action, (5) day, (6) month, (7) subtab, (8) view, and (9) viewOption parameters in the index action, and (10) start parameter in the ListView action to the Calendar module; (11) return_action and (12) return_module parameters in the EditView action, and (13) query parameter in an index action to the Campaigns module; (14) return_url and (15) workflow_id parameters in an editworkflow action to the com_vtiger_workflow module; (16) display_view parameter in an index action to the Dashboard module; (17) closingdate_end, (18) closingdate_start, (19) date_closed, (20) owner, (21) leadsource, (22) sales_stage, and (23) type parameters in a ListView action to the Potentials module; (24) folderid parameter in a SaveandRun action to the Reports module; (25) returnaction and (26) groupId parameters in a createnewgroup action, (27) mode and (28) parent parameters in a createrole action, (29) src_module in a ModuleManager action, (30) mode and (31) profile_id parameters in a profilePrivileges action, and (32) roleid parameter in a RoleDetailView to the Settings module; and (33) action parameter to the Home module and (34) module parameter to phprint.php.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.exploit-db.com/exploits/36203/ | exploit, x_refsource_EXPLOIT-DB | |
| http://yehg.net/lab/pr0js/advisories/%5BvTiger_5.2.1%5D_XSS | x_refsource_MISC | |
| http://osvdb.org/76006 | vdb-entry, x_refsource_OSVDB | |
| https://www.exploit-db.com/exploits/36204/ | exploit, x_refsource_EXPLOIT-DB | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/70306 | vdb-entry, x_refsource_XF | |
| http://www.securityfocus.com/bid/49927 | vdb-entry, x_refsource_BID | |
| http://www.securityfocus.com/archive/1/519993/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://osvdb.org/76005 | vdb-entry, x_refsource_OSVDB | |
| http://seclists.org/fulldisclosure/2011/Oct/154 | mailing-list, x_refsource_FULLDISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T00:09:19.459Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "36203",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/36203/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://yehg.net/lab/pr0js/advisories/%5BvTiger_5.2.1%5D_XSS"
},
{
"name": "76006",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/76006"
},
{
"name": "36204",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/36204/"
},
{
"name": "vtigercrm-index-phprint-xss(70306)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/70306"
},
{
"name": "49927",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/49927"
},
{
"name": "20111004 vTiger CRM 5.2.x \u003c= Multiple Cross Site Scripting Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/519993/100/0/threaded"
},
{
"name": "76005",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/76005"
},
{
"name": "20111004 vTiger CRM 5.2.x \u003c= Multiple Cross Site Scripting Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2011/Oct/154"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2011-10-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 5.2.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) viewname parameter in a CalendarAjax action, (2) activity_mode parameter in a DetailView action, (3) contact_id and (4) parent_id parameters in an EditView action, (5) day, (6) month, (7) subtab, (8) view, and (9) viewOption parameters in the index action, and (10) start parameter in the ListView action to the Calendar module; (11) return_action and (12) return_module parameters in the EditView action, and (13) query parameter in an index action to the Campaigns module; (14) return_url and (15) workflow_id parameters in an editworkflow action to the com_vtiger_workflow module; (16) display_view parameter in an index action to the Dashboard module; (17) closingdate_end, (18) closingdate_start, (19) date_closed, (20) owner, (21) leadsource, (22) sales_stage, and (23) type parameters in a ListView action to the Potentials module; (24) folderid parameter in a SaveandRun action to the Reports module; (25) returnaction and (26) groupId parameters in a createnewgroup action, (27) mode and (28) parent parameters in a createrole action, (29) src_module in a ModuleManager action, (30) mode and (31) profile_id parameters in a profilePrivileges action, and (32) roleid parameter in a RoleDetailView to the Settings module; and (33) action parameter to the Home module and (34) module parameter to phprint.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "36203",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/36203/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://yehg.net/lab/pr0js/advisories/%5BvTiger_5.2.1%5D_XSS"
},
{
"name": "76006",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/76006"
},
{
"name": "36204",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/36204/"
},
{
"name": "vtigercrm-index-phprint-xss(70306)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/70306"
},
{
"name": "49927",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/49927"
},
{
"name": "20111004 vTiger CRM 5.2.x \u003c= Multiple Cross Site Scripting Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/519993/100/0/threaded"
},
{
"name": "76005",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/76005"
},
{
"name": "20111004 vTiger CRM 5.2.x \u003c= Multiple Cross Site Scripting Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2011/Oct/154"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2011-4670",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 5.2.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) viewname parameter in a CalendarAjax action, (2) activity_mode parameter in a DetailView action, (3) contact_id and (4) parent_id parameters in an EditView action, (5) day, (6) month, (7) subtab, (8) view, and (9) viewOption parameters in the index action, and (10) start parameter in the ListView action to the Calendar module; (11) return_action and (12) return_module parameters in the EditView action, and (13) query parameter in an index action to the Campaigns module; (14) return_url and (15) workflow_id parameters in an editworkflow action to the com_vtiger_workflow module; (16) display_view parameter in an index action to the Dashboard module; (17) closingdate_end, (18) closingdate_start, (19) date_closed, (20) owner, (21) leadsource, (22) sales_stage, and (23) type parameters in a ListView action to the Potentials module; (24) folderid parameter in a SaveandRun action to the Reports module; (25) returnaction and (26) groupId parameters in a createnewgroup action, (27) mode and (28) parent parameters in a createrole action, (29) src_module in a ModuleManager action, (30) mode and (31) profile_id parameters in a profilePrivileges action, and (32) roleid parameter in a RoleDetailView to the Settings module; and (33) action parameter to the Home module and (34) module parameter to phprint.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "36203",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/36203/"
},
{
"name": "http://yehg.net/lab/pr0js/advisories/%5BvTiger_5.2.1%5D_XSS",
"refsource": "MISC",
"url": "http://yehg.net/lab/pr0js/advisories/%5BvTiger_5.2.1%5D_XSS"
},
{
"name": "76006",
"refsource": "OSVDB",
"url": "http://osvdb.org/76006"
},
{
"name": "36204",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/36204/"
},
{
"name": "vtigercrm-index-phprint-xss(70306)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/70306"
},
{
"name": "49927",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/49927"
},
{
"name": "20111004 vTiger CRM 5.2.x \u003c= Multiple Cross Site Scripting Vulnerabilities",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/519993/100/0/threaded"
},
{
"name": "76005",
"refsource": "OSVDB",
"url": "http://osvdb.org/76005"
},
{
"name": "20111004 vTiger CRM 5.2.x \u003c= Multiple Cross Site Scripting Vulnerabilities",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2011/Oct/154"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2011-4670",
"datePublished": "2011-12-02T16:00:00",
"dateReserved": "2011-12-02T00:00:00",
"dateUpdated": "2024-08-07T00:09:19.459Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2007-3599 (GCVE-0-2007-3599)
Vulnerability from cvelistv5
Published
2007-07-06 19:00
Modified
2024-08-07 14:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
vtiger CRM before 5.0.3 allows remote authenticated users to import and export the information for a contact even when they only have the View permission.
References
| ▼ | URL | Tags |
|---|---|---|
| http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2968 | x_refsource_CONFIRM | |
| http://osvdb.org/45781 | vdb-entry, x_refsource_OSVDB | |
| http://trac.vtiger.com/cgi-bin/trac.cgi/report/9 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T14:21:36.433Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2968"
},
{
"name": "45781",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/45781"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2007-05-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "vtiger CRM before 5.0.3 allows remote authenticated users to import and export the information for a contact even when they only have the View permission."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2008-11-15T10:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2968"
},
{
"name": "45781",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/45781"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2007-3599",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "vtiger CRM before 5.0.3 allows remote authenticated users to import and export the information for a contact even when they only have the View permission."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2968",
"refsource": "CONFIRM",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2968"
},
{
"name": "45781",
"refsource": "OSVDB",
"url": "http://osvdb.org/45781"
},
{
"name": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9",
"refsource": "CONFIRM",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2007-3599",
"datePublished": "2007-07-06T19:00:00",
"dateReserved": "2007-07-06T00:00:00",
"dateUpdated": "2024-08-07T14:21:36.433Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-3214 (GCVE-0-2013-3214)
Vulnerability from cvelistv5
Published
2020-01-28 20:27
Modified
2024-08-06 16:00
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in 'vtigerolservice.php'.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.exploit-db.com/exploits/30787 | exploit, x_refsource_EXPLOIT-DB | |
| http://www.securityfocus.com/bid/61558 | vdb-entry, x_refsource_BID | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/86164 | vdb-entry, x_refsource_XF |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:00:10.106Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "30787",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/30787"
},
{
"name": "61558",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/61558"
},
{
"name": "86164",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86164"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-08-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in \u0027vtigerolservice.php\u0027."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-28T20:27:32",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "30787",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/30787"
},
{
"name": "61558",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/61558"
},
{
"name": "86164",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86164"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-3214",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in \u0027vtigerolservice.php\u0027."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "30787",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/30787"
},
{
"name": "61558",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/61558"
},
{
"name": "86164",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86164"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-3214",
"datePublished": "2020-01-28T20:27:32",
"dateReserved": "2013-04-20T00:00:00",
"dateUpdated": "2024-08-06T16:00:10.106Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-45755 (GCVE-0-2025-45755)
Vulnerability from cvelistv5
Published
2025-05-21 00:00
Modified
2025-05-21 20:00
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A Stored Cross-Site Scripting (XSS) vulnerability exists in Vtiger CRM Open Source Edition v8.3.0, exploitable via the Services Import feature. An attacker can craft a malicious CSV file containing an XSS payload, mapped to the Service Name field. When the file is uploaded, the application improperly sanitizes user input, leading to persistent script execution.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-45755",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-21T19:58:58.784219Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T20:00:34.450Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.simonjuguna.com/cve-2025-45755-stored-cross-site-scripting-xss-vulnerability-in-vtiger-open-source-edition-v8-3-0/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Stored Cross-Site Scripting (XSS) vulnerability exists in Vtiger CRM Open Source Edition v8.3.0, exploitable via the Services Import feature. An attacker can craft a malicious CSV file containing an XSS payload, mapped to the Service Name field. When the file is uploaded, the application improperly sanitizes user input, leading to persistent script execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T19:37:54.373Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.vtiger.com/open-source-crm/"
},
{
"url": "https://www.simonjuguna.com/cve-2025-45755-stored-cross-site-scripting-xss-vulnerability-in-vtiger-open-source-edition-v8-3-0/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-45755",
"datePublished": "2025-05-21T00:00:00.000Z",
"dateReserved": "2025-04-22T00:00:00.000Z",
"dateUpdated": "2025-05-21T20:00:34.450Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2007-3598 (GCVE-0-2007-3598)
Vulnerability from cvelistv5
Published
2007-07-06 19:00
Modified
2024-09-16 18:44
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
index.php in vtiger CRM before 5.0.3 allows remote authenticated users to obtain all users' names and e-mail addresses, and possibly change user settings, via a modified record parameter in a DetailView action to the Users module. NOTE: the vendor disputes the changing of settings, reporting that the attack vector results in a "You are not permitted to execute this Operation" error message in a 5.0.3 demo.
References
| ▼ | URL | Tags |
|---|---|---|
| http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2985 | x_refsource_CONFIRM | |
| http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2664 | x_refsource_CONFIRM | |
| http://forums.vtiger.com/viewtopic.php?p=38609 | x_refsource_MISC | |
| http://trac.vtiger.com/cgi-bin/trac.cgi/report/9 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T14:21:36.463Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2985"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2664"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://forums.vtiger.com/viewtopic.php?p=38609"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "index.php in vtiger CRM before 5.0.3 allows remote authenticated users to obtain all users\u0027 names and e-mail addresses, and possibly change user settings, via a modified record parameter in a DetailView action to the Users module. NOTE: the vendor disputes the changing of settings, reporting that the attack vector results in a \"You are not permitted to execute this Operation\" error message in a 5.0.3 demo."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2007-07-06T19:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2985"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2664"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://forums.vtiger.com/viewtopic.php?p=38609"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2007-3598",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "index.php in vtiger CRM before 5.0.3 allows remote authenticated users to obtain all users\u0027 names and e-mail addresses, and possibly change user settings, via a modified record parameter in a DetailView action to the Users module. NOTE: the vendor disputes the changing of settings, reporting that the attack vector results in a \"You are not permitted to execute this Operation\" error message in a 5.0.3 demo."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2985",
"refsource": "CONFIRM",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2985"
},
{
"name": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2664",
"refsource": "CONFIRM",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2664"
},
{
"name": "http://forums.vtiger.com/viewtopic.php?p=38609",
"refsource": "MISC",
"url": "http://forums.vtiger.com/viewtopic.php?p=38609"
},
{
"name": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9",
"refsource": "CONFIRM",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2007-3598",
"datePublished": "2007-07-06T19:00:00Z",
"dateReserved": "2007-07-06T00:00:00Z",
"dateUpdated": "2024-09-16T18:44:01.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2009-3247 (GCVE-0-2009-3247)
Vulnerability from cvelistv5
Published
2009-09-18 20:00
Modified
2024-08-07 06:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in the Activities module in vtiger CRM 5.0.4 allows remote attackers to inject arbitrary web script or HTML via the action parameter to phprint.php. NOTE: the query_string vector is already covered by CVE-2008-3101.3.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.ush.it/2009/08/18/vtiger-crm-504-multiple-vulnerabilities/ | x_refsource_MISC | |
| http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt | x_refsource_MISC | |
| http://www.osvdb.org/57240 | vdb-entry, x_refsource_OSVDB | |
| http://www.exploit-db.com/exploits/9450 | exploit, x_refsource_EXPLOIT-DB | |
| http://www.securityfocus.com/bid/36062 | vdb-entry, x_refsource_BID | |
| http://secunia.com/advisories/36309 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.vupen.com/english/advisories/2009/2319 | vdb-entry, x_refsource_VUPEN |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T06:22:23.994Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.ush.it/2009/08/18/vtiger-crm-504-multiple-vulnerabilities/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt"
},
{
"name": "57240",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/57240"
},
{
"name": "9450",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/9450"
},
{
"name": "36062",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/36062"
},
{
"name": "36309",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/36309"
},
{
"name": "ADV-2009-2319",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2009/2319"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2009-08-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Activities module in vtiger CRM 5.0.4 allows remote attackers to inject arbitrary web script or HTML via the action parameter to phprint.php. NOTE: the query_string vector is already covered by CVE-2008-3101.3."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-18T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.ush.it/2009/08/18/vtiger-crm-504-multiple-vulnerabilities/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt"
},
{
"name": "57240",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/57240"
},
{
"name": "9450",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/9450"
},
{
"name": "36062",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/36062"
},
{
"name": "36309",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/36309"
},
{
"name": "ADV-2009-2319",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2009/2319"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2009-3247",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the Activities module in vtiger CRM 5.0.4 allows remote attackers to inject arbitrary web script or HTML via the action parameter to phprint.php. NOTE: the query_string vector is already covered by CVE-2008-3101.3."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.ush.it/2009/08/18/vtiger-crm-504-multiple-vulnerabilities/",
"refsource": "MISC",
"url": "http://www.ush.it/2009/08/18/vtiger-crm-504-multiple-vulnerabilities/"
},
{
"name": "http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt",
"refsource": "MISC",
"url": "http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt"
},
{
"name": "57240",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/57240"
},
{
"name": "9450",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/9450"
},
{
"name": "36062",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/36062"
},
{
"name": "36309",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/36309"
},
{
"name": "ADV-2009-2319",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2009/2319"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2009-3247",
"datePublished": "2009-09-18T20:00:00",
"dateReserved": "2009-09-18T00:00:00",
"dateUpdated": "2024-08-07T06:22:23.994Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-2268 (GCVE-0-2014-2268)
Vulnerability from cvelistv5
Published
2014-11-16 01:00
Modified
2024-08-06 10:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
views/Index.php in the Install module in vTiger 6.0 before Security Patch 2 does not properly restrict access, which allows remote attackers to re-install the application via a request that sets the X-Requested-With HTTP header, as demonstrated by executing arbitrary PHP code via the db_name parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/66757 | vdb-entry, x_refsource_BID | |
| https://www.navixia.com/blog/entry/navixia-find-critical-vulnerabilities-in-vtiger-crm-cve-2014-2268-cve-2014-2269.html | x_refsource_MISC | |
| http://vtiger-crm.2324883.n4.nabble.com/Vtigercrm-developers-IMP-forgot-password-and-re-installation-security-fix-tt9786.html | mailing-list, x_refsource_MLIST | |
| http://www.exploit-db.com/exploits/32794 | exploit, x_refsource_EXPLOIT-DB |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:06:00.316Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "66757",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/66757"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.navixia.com/blog/entry/navixia-find-critical-vulnerabilities-in-vtiger-crm-cve-2014-2268-cve-2014-2269.html"
},
{
"name": "[Vtigercrm-developers] 20140316 IMP: forgot password and re-installation security fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://vtiger-crm.2324883.n4.nabble.com/Vtigercrm-developers-IMP-forgot-password-and-re-installation-security-fix-tt9786.html"
},
{
"name": "32794",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/32794"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-03-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "views/Index.php in the Install module in vTiger 6.0 before Security Patch 2 does not properly restrict access, which allows remote attackers to re-install the application via a request that sets the X-Requested-With HTTP header, as demonstrated by executing arbitrary PHP code via the db_name parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-11-16T00:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "66757",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/66757"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.navixia.com/blog/entry/navixia-find-critical-vulnerabilities-in-vtiger-crm-cve-2014-2268-cve-2014-2269.html"
},
{
"name": "[Vtigercrm-developers] 20140316 IMP: forgot password and re-installation security fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://vtiger-crm.2324883.n4.nabble.com/Vtigercrm-developers-IMP-forgot-password-and-re-installation-security-fix-tt9786.html"
},
{
"name": "32794",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/32794"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-2268",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "views/Index.php in the Install module in vTiger 6.0 before Security Patch 2 does not properly restrict access, which allows remote attackers to re-install the application via a request that sets the X-Requested-With HTTP header, as demonstrated by executing arbitrary PHP code via the db_name parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "66757",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/66757"
},
{
"name": "https://www.navixia.com/blog/entry/navixia-find-critical-vulnerabilities-in-vtiger-crm-cve-2014-2268-cve-2014-2269.html",
"refsource": "MISC",
"url": "https://www.navixia.com/blog/entry/navixia-find-critical-vulnerabilities-in-vtiger-crm-cve-2014-2268-cve-2014-2269.html"
},
{
"name": "[Vtigercrm-developers] 20140316 IMP: forgot password and re-installation security fix",
"refsource": "MLIST",
"url": "http://vtiger-crm.2324883.n4.nabble.com/Vtigercrm-developers-IMP-forgot-password-and-re-installation-security-fix-tt9786.html"
},
{
"name": "32794",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/32794"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-2268",
"datePublished": "2014-11-16T01:00:00",
"dateReserved": "2014-03-04T00:00:00",
"dateUpdated": "2024-08-06T10:06:00.316Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-11057 (GCVE-0-2019-11057)
Vulnerability from cvelistv5
Published
2019-05-17 16:36
Modified
2024-08-04 22:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
SQL injection vulnerability in Vtiger CRM before 7.1.0 hotfix3 allows authenticated users to execute arbitrary SQL commands.
References
| ▼ | URL | Tags |
|---|---|---|
| http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-April/037964.html | mailing-list, x_refsource_MLIST | |
| https://medium.com/%40mohnishdhage/sql-injection-vtiger-crm-v7-1-0-cve-2019-11057-245f84fc5c2c | x_refsource_MISC | |
| https://cybersecurityworks.com/zerodays/cve-2019-11057-vtiger.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:40:16.117Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[vtigercrm-developers] 20190403 Vtiger CRM 7.1.0 (hotfix3) Released",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-April/037964.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://medium.com/%40mohnishdhage/sql-injection-vtiger-crm-v7-1-0-cve-2019-11057-245f84fc5c2c"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2019-11057-vtiger.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2019-04-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in Vtiger CRM before 7.1.0 hotfix3 allows authenticated users to execute arbitrary SQL commands."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-29T20:00:41",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[vtigercrm-developers] 20190403 Vtiger CRM 7.1.0 (hotfix3) Released",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-April/037964.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://medium.com/%40mohnishdhage/sql-injection-vtiger-crm-v7-1-0-cve-2019-11057-245f84fc5c2c"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2019-11057-vtiger.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-11057",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in Vtiger CRM before 7.1.0 hotfix3 allows authenticated users to execute arbitrary SQL commands."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[vtigercrm-developers] 20190403 Vtiger CRM 7.1.0 (hotfix3) Released",
"refsource": "MLIST",
"url": "http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-April/037964.html"
},
{
"name": "https://medium.com/@mohnishdhage/sql-injection-vtiger-crm-v7-1-0-cve-2019-11057-245f84fc5c2c",
"refsource": "MISC",
"url": "https://medium.com/@mohnishdhage/sql-injection-vtiger-crm-v7-1-0-cve-2019-11057-245f84fc5c2c"
},
{
"name": "https://cybersecurityworks.com/zerodays/cve-2019-11057-vtiger.html",
"refsource": "MISC",
"url": "https://cybersecurityworks.com/zerodays/cve-2019-11057-vtiger.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-11057",
"datePublished": "2019-05-17T16:36:24",
"dateReserved": "2019-04-09T00:00:00",
"dateUpdated": "2024-08-04T22:40:16.117Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-3591 (GCVE-0-2013-3591)
Vulnerability from cvelistv5
Published
2020-02-07 14:15
Modified
2024-08-06 16:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- PHP Code Execution
Summary
vTiger CRM 5.3 and 5.4: 'files' Upload Folder Arbitrary PHP Code Execution Vulnerability
References
| ▼ | URL | Tags |
|---|---|---|
| https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats | x_refsource_MISC | |
| https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-foss-disclosures-part-one | x_refsource_MISC | |
| http://www.securityfocus.com/bid/63454 | x_refsource_MISC | |
| http://www.exploit-db.com/exploits/29319 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| vTiger CRM | vTiger CRM |
Version: 5.3 Version: 5.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:14:56.578Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-foss-disclosures-part-one"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/63454"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/29319"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "vTiger CRM",
"vendor": "vTiger CRM",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"status": "affected",
"version": "5.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "vTiger CRM 5.3 and 5.4: \u0027files\u0027 Upload Folder Arbitrary PHP Code Execution Vulnerability"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "PHP Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-07T14:15:28",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-foss-disclosures-part-one"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.securityfocus.com/bid/63454"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.exploit-db.com/exploits/29319"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"ID": "CVE-2013-3591",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "vTiger CRM",
"version": {
"version_data": [
{
"version_value": "5.3"
},
{
"version_value": "5.4"
}
]
}
}
]
},
"vendor_name": "vTiger CRM"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "vTiger CRM 5.3 and 5.4: \u0027files\u0027 Upload Folder Arbitrary PHP Code Execution Vulnerability"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "PHP Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats",
"refsource": "MISC",
"url": "https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"
},
{
"name": "https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-foss-disclosures-part-one",
"refsource": "MISC",
"url": "https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-foss-disclosures-part-one"
},
{
"name": "http://www.securityfocus.com/bid/63454",
"refsource": "MISC",
"url": "http://www.securityfocus.com/bid/63454"
},
{
"name": "http://www.exploit-db.com/exploits/29319",
"refsource": "MISC",
"url": "http://www.exploit-db.com/exploits/29319"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2013-3591",
"datePublished": "2020-02-07T14:15:28",
"dateReserved": "2013-05-21T00:00:00",
"dateUpdated": "2024-08-06T16:14:56.578Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-19202 (GCVE-0-2019-19202)
Vulnerability from cvelistv5
Published
2019-11-21 19:54
Modified
2024-08-05 02:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In Vtiger 7.x before 7.2.0, the My Preferences saving functionality allows a user without administrative privileges to change his own role by adding roleid=H2 to a POST request.
References
| ▼ | URL | Tags |
|---|---|---|
| https://code.vtiger.com/vtiger/vtigercrm/issues/1126 | x_refsource_MISC | |
| http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-April/037964.html | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:09:39.420Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://code.vtiger.com/vtiger/vtigercrm/issues/1126"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-April/037964.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Vtiger 7.x before 7.2.0, the My Preferences saving functionality allows a user without administrative privileges to change his own role by adding roleid=H2 to a POST request."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-25T13:35:27",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://code.vtiger.com/vtiger/vtigercrm/issues/1126"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-April/037964.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-19202",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Vtiger 7.x before 7.2.0, the My Preferences saving functionality allows a user without administrative privileges to change his own role by adding roleid=H2 to a POST request."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://code.vtiger.com/vtiger/vtigercrm/issues/1126",
"refsource": "MISC",
"url": "https://code.vtiger.com/vtiger/vtigercrm/issues/1126"
},
{
"name": "http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-April/037964.html",
"refsource": "CONFIRM",
"url": "http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-April/037964.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-19202",
"datePublished": "2019-11-21T19:54:18",
"dateReserved": "2019-11-21T00:00:00",
"dateUpdated": "2024-08-05T02:09:39.420Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-5091 (GCVE-0-2013-5091)
Vulnerability from cvelistv5
Published
2013-10-04 20:00
Modified
2024-09-17 01:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
SQL injection vulnerability in CalendarCommon.php in vTiger CRM 5.4.0 and possibly earlier allows remote authenticated users to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php. NOTE: this issue might be a duplicate of CVE-2011-4559.
References
| ▼ | URL | Tags |
|---|---|---|
| http://archives.neohapsis.com/archives/bugtraq/2013-09/0079.html | mailing-list, x_refsource_BUGTRAQ | |
| http://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%205.4.0/Core%20Product/ | x_refsource_CONFIRM | |
| https://www.htbridge.com/advisory/HTB23168 | x_refsource_MISC | |
| http://osvdb.org/76138 | vdb-entry, x_refsource_OSVDB | |
| http://www.exploit-db.com/exploits/28409 | exploit, x_refsource_EXPLOIT-DB |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:59:41.281Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20130918 SQL Injection in vtiger CRM",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-09/0079.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%205.4.0/Core%20Product/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.htbridge.com/advisory/HTB23168"
},
{
"name": "76138",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/76138"
},
{
"name": "28409",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/28409"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in CalendarCommon.php in vTiger CRM 5.4.0 and possibly earlier allows remote authenticated users to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php. NOTE: this issue might be a duplicate of CVE-2011-4559."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-10-04T20:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20130918 SQL Injection in vtiger CRM",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-09/0079.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%205.4.0/Core%20Product/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.htbridge.com/advisory/HTB23168"
},
{
"name": "76138",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/76138"
},
{
"name": "28409",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/28409"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-5091",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in CalendarCommon.php in vTiger CRM 5.4.0 and possibly earlier allows remote authenticated users to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php. NOTE: this issue might be a duplicate of CVE-2011-4559."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20130918 SQL Injection in vtiger CRM",
"refsource": "BUGTRAQ",
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-09/0079.html"
},
{
"name": "http://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%205.4.0/Core%20Product/",
"refsource": "CONFIRM",
"url": "http://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%205.4.0/Core%20Product/"
},
{
"name": "https://www.htbridge.com/advisory/HTB23168",
"refsource": "MISC",
"url": "https://www.htbridge.com/advisory/HTB23168"
},
{
"name": "76138",
"refsource": "OSVDB",
"url": "http://osvdb.org/76138"
},
{
"name": "28409",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/28409"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-5091",
"datePublished": "2013-10-04T20:00:00Z",
"dateReserved": "2013-08-08T00:00:00Z",
"dateUpdated": "2024-09-17T01:16:46.042Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2005-3819 (GCVE-0-2005-3819)
Vulnerability from cvelistv5
Published
2005-11-26 02:00
Modified
2024-08-07 23:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary SQL commands and bypass authentication via the (1) user_name and (2) date parameter in the HelpDesk module.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.vupen.com/english/advisories/2005/2569 | vdb-entry, x_refsource_VUPEN | |
| http://www.hardened-php.net/advisory_232005.105.html | x_refsource_MISC | |
| http://www.securityfocus.com/bid/15562 | vdb-entry, x_refsource_BID | |
| http://securitytracker.com/id?1015271 | vdb-entry, x_refsource_SECTRACK | |
| http://www.securityfocus.com/archive/1/417730/30/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://secunia.com/advisories/17693 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.osvdb.org/21225 | vdb-entry, x_refsource_OSVDB |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T23:24:36.480Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "ADV-2005-2569",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2005/2569"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.hardened-php.net/advisory_232005.105.html"
},
{
"name": "15562",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/15562"
},
{
"name": "1015271",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://securitytracker.com/id?1015271"
},
{
"name": "20051124 Advisory 23/2005: vTiger multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/417730/30/0/threaded"
},
{
"name": "17693",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/17693"
},
{
"name": "21225",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/21225"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2005-11-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary SQL commands and bypass authentication via the (1) user_name and (2) date parameter in the HelpDesk module."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-19T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "ADV-2005-2569",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2005/2569"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.hardened-php.net/advisory_232005.105.html"
},
{
"name": "15562",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/15562"
},
{
"name": "1015271",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://securitytracker.com/id?1015271"
},
{
"name": "20051124 Advisory 23/2005: vTiger multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/417730/30/0/threaded"
},
{
"name": "17693",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/17693"
},
{
"name": "21225",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/21225"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2005-3819",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary SQL commands and bypass authentication via the (1) user_name and (2) date parameter in the HelpDesk module."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "ADV-2005-2569",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2005/2569"
},
{
"name": "http://www.hardened-php.net/advisory_232005.105.html",
"refsource": "MISC",
"url": "http://www.hardened-php.net/advisory_232005.105.html"
},
{
"name": "15562",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/15562"
},
{
"name": "1015271",
"refsource": "SECTRACK",
"url": "http://securitytracker.com/id?1015271"
},
{
"name": "20051124 Advisory 23/2005: vTiger multiple vulnerabilities",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/417730/30/0/threaded"
},
{
"name": "17693",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/17693"
},
{
"name": "21225",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/21225"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2005-3819",
"datePublished": "2005-11-26T02:00:00",
"dateReserved": "2005-11-26T00:00:00",
"dateUpdated": "2024-08-07T23:24:36.480Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-38891 (GCVE-0-2023-38891)
Vulnerability from cvelistv5
Published
2023-09-14 00:00
Modified
2024-09-25 20:23
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
SQL injection vulnerability in Vtiger CRM v.7.5.0 allows a remote authenticated attacker to escalate privileges via the getQueryColumnsList function in ReportRun.php.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:54:38.976Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://code.vtiger.com/vtiger/vtigercrm/-/blob/master/modules/Reports/ReportRun.php#L395"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/jselliott/CVE-2023-38891"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-38891",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T20:22:16.212497Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T20:23:04.889Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in Vtiger CRM v.7.5.0 allows a remote authenticated attacker to escalate privileges via the getQueryColumnsList function in ReportRun.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-14T22:24:03.562280",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://code.vtiger.com/vtiger/vtigercrm/-/blob/master/modules/Reports/ReportRun.php#L395"
},
{
"url": "https://github.com/jselliott/CVE-2023-38891"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-38891",
"datePublished": "2023-09-14T00:00:00",
"dateReserved": "2023-07-25T00:00:00",
"dateUpdated": "2024-09-25T20:23:04.889Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-54687 (GCVE-0-2024-54687)
Vulnerability from cvelistv5
Published
2025-01-10 00:00
Modified
2025-01-13 20:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Vtiger CRM v.6.1 and before is vulnerable to Cross Site Scripting (XSS) via the Documents module and function uploadAndSaveFile in CRMEntity.php.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-54687",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-13T20:03:34.302362Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-13T20:05:45.029Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vtiger CRM v.6.1 and before is vulnerable to Cross Site Scripting (XSS) via the Documents module and function uploadAndSaveFile in CRMEntity.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T18:12:14.324958",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://andrea0.medium.com"
},
{
"url": "https://andrea0.medium.com/analysis-of-cve-2024-54687-9d82f4c0eaa8"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-54687",
"datePublished": "2025-01-10T00:00:00",
"dateReserved": "2024-12-06T00:00:00",
"dateUpdated": "2025-01-13T20:05:45.029Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-44779 (GCVE-0-2024-44779)
Vulnerability from cvelistv5
Published
2024-08-29 00:00
Modified
2024-08-29 19:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A reflected cross-site scripting (XSS) vulnerability in the viewname parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "vtiger_crm",
"vendor": "vtiger",
"versions": [
{
"status": "affected",
"version": "7.4.0"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-44779",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-29T19:00:10.897177Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T19:03:08.761Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A reflected cross-site scripting (XSS) vulnerability in the viewname parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user\u0027s browser via injecting a crafted payload."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T17:53:33.801565",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://vtiger.com"
},
{
"url": "https://packetstormsecurity.com/files/180462/vTiger-CRM-7.4.0-Cross-Site-Scripting.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-44779",
"datePublished": "2024-08-29T00:00:00",
"dateReserved": "2024-08-21T00:00:00",
"dateUpdated": "2024-08-29T19:03:08.761Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2009-3258 (GCVE-0-2009-3258)
Vulnerability from cvelistv5
Published
2009-09-18 21:00
Modified
2024-09-17 01:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
vtiger CRM before 5.1.0 allows remote authenticated users, with certain View privileges, to delete (1) attachments, (2) reports, (3) filters, (4) views, and (5) tickets; insert (6) attachments, (7) reports, (8) filters, (9) views, and (10) tickets; and edit (11) reports, (12) filters, (13) views, and (14) tickets via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| http://forums.vtiger.com/viewtopic.php?t=16756 | x_refsource_CONFIRM | |
| http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5249 | x_refsource_CONFIRM | |
| http://forums.vtiger.com/viewtopic.php?t=15094 | x_refsource_CONFIRM | |
| http://secunia.com/advisories/36309 | third-party-advisory, x_refsource_SECUNIA |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T06:22:23.812Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://forums.vtiger.com/viewtopic.php?t=16756"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5249"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://forums.vtiger.com/viewtopic.php?t=15094"
},
{
"name": "36309",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/36309"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "vtiger CRM before 5.1.0 allows remote authenticated users, with certain View privileges, to delete (1) attachments, (2) reports, (3) filters, (4) views, and (5) tickets; insert (6) attachments, (7) reports, (8) filters, (9) views, and (10) tickets; and edit (11) reports, (12) filters, (13) views, and (14) tickets via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2009-09-18T21:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://forums.vtiger.com/viewtopic.php?t=16756"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5249"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://forums.vtiger.com/viewtopic.php?t=15094"
},
{
"name": "36309",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/36309"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2009-3258",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "vtiger CRM before 5.1.0 allows remote authenticated users, with certain View privileges, to delete (1) attachments, (2) reports, (3) filters, (4) views, and (5) tickets; insert (6) attachments, (7) reports, (8) filters, (9) views, and (10) tickets; and edit (11) reports, (12) filters, (13) views, and (14) tickets via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://forums.vtiger.com/viewtopic.php?t=16756",
"refsource": "CONFIRM",
"url": "http://forums.vtiger.com/viewtopic.php?t=16756"
},
{
"name": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5249",
"refsource": "CONFIRM",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5249"
},
{
"name": "http://forums.vtiger.com/viewtopic.php?t=15094",
"refsource": "CONFIRM",
"url": "http://forums.vtiger.com/viewtopic.php?t=15094"
},
{
"name": "36309",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/36309"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2009-3258",
"datePublished": "2009-09-18T21:00:00Z",
"dateReserved": "2009-09-18T00:00:00Z",
"dateUpdated": "2024-09-17T01:21:10.084Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2010-3910 (GCVE-0-2010-3910)
Vulnerability from cvelistv5
Published
2010-11-26 19:00
Modified
2024-08-07 03:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple directory traversal vulnerabilities in the return_application_language function in include/utils/utils.php in vtiger CRM before 5.2.1 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the lang_crm parameter to phprint.php or (2) the current_language parameter in an Accounts Import action to graph.php.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt | x_refsource_MISC | |
| http://vtiger.com/blogs/2010/11/16/vtiger-crm-521-is-released/ | x_refsource_MISC | |
| http://secunia.com/advisories/42246 | third-party-advisory, x_refsource_SECUNIA | |
| http://wiki.vtiger.com/index.php/Vtiger521:Release_Notes | x_refsource_MISC | |
| http://www.securityfocus.com/archive/1/514846/100/0/threaded | mailing-list, x_refsource_BUGTRAQ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T03:26:12.216Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://vtiger.com/blogs/2010/11/16/vtiger-crm-521-is-released/"
},
{
"name": "42246",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/42246"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://wiki.vtiger.com/index.php/Vtiger521:Release_Notes"
},
{
"name": "20101116 Vtiger CRM 5.2.0 Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/514846/100/0/threaded"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-11-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple directory traversal vulnerabilities in the return_application_language function in include/utils/utils.php in vtiger CRM before 5.2.1 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the lang_crm parameter to phprint.php or (2) the current_language parameter in an Accounts Import action to graph.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-10T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://vtiger.com/blogs/2010/11/16/vtiger-crm-521-is-released/"
},
{
"name": "42246",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/42246"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://wiki.vtiger.com/index.php/Vtiger521:Release_Notes"
},
{
"name": "20101116 Vtiger CRM 5.2.0 Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/514846/100/0/threaded"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2010-3910",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple directory traversal vulnerabilities in the return_application_language function in include/utils/utils.php in vtiger CRM before 5.2.1 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the lang_crm parameter to phprint.php or (2) the current_language parameter in an Accounts Import action to graph.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt",
"refsource": "MISC",
"url": "http://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt"
},
{
"name": "http://vtiger.com/blogs/2010/11/16/vtiger-crm-521-is-released/",
"refsource": "MISC",
"url": "http://vtiger.com/blogs/2010/11/16/vtiger-crm-521-is-released/"
},
{
"name": "42246",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/42246"
},
{
"name": "http://wiki.vtiger.com/index.php/Vtiger521:Release_Notes",
"refsource": "MISC",
"url": "http://wiki.vtiger.com/index.php/Vtiger521:Release_Notes"
},
{
"name": "20101116 Vtiger CRM 5.2.0 Multiple Vulnerabilities",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/514846/100/0/threaded"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2010-3910",
"datePublished": "2010-11-26T19:00:00",
"dateReserved": "2010-10-12T00:00:00",
"dateUpdated": "2024-08-07T03:26:12.216Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-19362 (GCVE-0-2020-19362)
Vulnerability from cvelistv5
Published
2021-01-20 00:42
Modified
2024-08-04 14:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Reflected XSS in Vtiger CRM v7.2.0 in vtigercrm/index.php? through the view parameter can result in an attacker performing malicious actions to users who open a maliciously crafted link or third-party web page.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/EmreOvunc/Vtiger-CRM-Vulnerabilities/ | x_refsource_MISC | |
| https://emreovunc.com/blog/en/vtiger_crm_xss_03.png | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:08:30.667Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/EmreOvunc/Vtiger-CRM-Vulnerabilities/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://emreovunc.com/blog/en/vtiger_crm_xss_03.png"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Reflected XSS in Vtiger CRM v7.2.0 in vtigercrm/index.php? through the view parameter can result in an attacker performing malicious actions to users who open a maliciously crafted link or third-party web page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-20T00:42:56",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/EmreOvunc/Vtiger-CRM-Vulnerabilities/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://emreovunc.com/blog/en/vtiger_crm_xss_03.png"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-19362",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Reflected XSS in Vtiger CRM v7.2.0 in vtigercrm/index.php? through the view parameter can result in an attacker performing malicious actions to users who open a maliciously crafted link or third-party web page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/EmreOvunc/Vtiger-CRM-Vulnerabilities/",
"refsource": "MISC",
"url": "https://github.com/EmreOvunc/Vtiger-CRM-Vulnerabilities/"
},
{
"name": "https://emreovunc.com/blog/en/vtiger_crm_xss_03.png",
"refsource": "MISC",
"url": "https://emreovunc.com/blog/en/vtiger_crm_xss_03.png"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-19362",
"datePublished": "2021-01-20T00:42:56",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:08:30.667Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-45753 (GCVE-0-2025-45753)
Vulnerability from cvelistv5
Published
2025-05-21 00:00
Modified
2025-05-22 13:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A vulnerability in Vtiger CRM Open Source Edition v8.3.0 allows an attacker with admin privileges to execute arbitrary PHP code by exploiting the ZIP import functionality in the Module Import feature.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-45753",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-22T13:25:07.838963Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T13:26:12.175Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in Vtiger CRM Open Source Edition v8.3.0 allows an attacker with admin privileges to execute arbitrary PHP code by exploiting the ZIP import functionality in the Module Import feature."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T20:42:06.813Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.simonjuguna.com/cve-2025-45753-authenticated-remote-code-execution-vulnerability-in-vtiger-open-source-edition-v8-3-0/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-45753",
"datePublished": "2025-05-21T00:00:00.000Z",
"dateReserved": "2025-04-22T00:00:00.000Z",
"dateUpdated": "2025-05-22T13:26:12.175Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-1713 (GCVE-0-2016-1713)
Vulnerability from cvelistv5
Published
2017-04-14 18:00
Modified
2024-08-05 23:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.4.0 allows remote authenticated users to execute arbitrary code by uploading a crafted image file with an executable extension, then accessing it via a direct request to the file in test/logo/. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6000.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2016/01/12/7 | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2016/01/12/4 | mailing-list, x_refsource_MLIST | |
| http://b.fl7.de/2016/01/vtiger-crm-6.4-auth-rce.html | x_refsource_MISC | |
| https://www.exploit-db.com/exploits/44379/ | exploit, x_refsource_EXPLOIT-DB |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T23:02:12.907Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20160112 Re: CVE Request: Vtiger CRM 6.4 Authenticated Remote Code Execution",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/12/7"
},
{
"name": "[oss-security] 20160112 CVE Request: Vtiger CRM 6.4 Authenticated Remote Code Execution",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/12/4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://b.fl7.de/2016/01/vtiger-crm-6.4-auth-rce.html"
},
{
"name": "44379",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/44379/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-01-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.4.0 allows remote authenticated users to execute arbitrary code by uploading a crafted image file with an executable extension, then accessing it via a direct request to the file in test/logo/. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6000."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-04-01T09:57:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[oss-security] 20160112 Re: CVE Request: Vtiger CRM 6.4 Authenticated Remote Code Execution",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/12/7"
},
{
"name": "[oss-security] 20160112 CVE Request: Vtiger CRM 6.4 Authenticated Remote Code Execution",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/12/4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://b.fl7.de/2016/01/vtiger-crm-6.4-auth-rce.html"
},
{
"name": "44379",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/44379/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-1713",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.4.0 allows remote authenticated users to execute arbitrary code by uploading a crafted image file with an executable extension, then accessing it via a direct request to the file in test/logo/. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6000."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20160112 Re: CVE Request: Vtiger CRM 6.4 Authenticated Remote Code Execution",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/01/12/7"
},
{
"name": "[oss-security] 20160112 CVE Request: Vtiger CRM 6.4 Authenticated Remote Code Execution",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/01/12/4"
},
{
"name": "http://b.fl7.de/2016/01/vtiger-crm-6.4-auth-rce.html",
"refsource": "MISC",
"url": "http://b.fl7.de/2016/01/vtiger-crm-6.4-auth-rce.html"
},
{
"name": "44379",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/44379/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-1713",
"datePublished": "2017-04-14T18:00:00",
"dateReserved": "2016-01-12T00:00:00",
"dateUpdated": "2024-08-05T23:02:12.907Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-48119 (GCVE-0-2024-48119)
Vulnerability from cvelistv5
Published
2024-10-14 00:00
Modified
2024-10-17 17:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Vtiger CRM v8.2.0 has a HTML Injection vulnerability in the module parameter. Authenticated users can inject arbitrary HTML.
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "vtiger_crm",
"vendor": "vtiger",
"versions": [
{
"status": "affected",
"version": "8.2.0"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-48119",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-17T17:31:38.560198Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T17:32:57.909Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vtiger CRM v8.2.0 has a HTML Injection vulnerability in the module parameter. Authenticated users can inject arbitrary HTML."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-14T13:42:20.618976",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://okankurtulus.com.tr/2024/09/12/vtiger-crm-v8-2-0-html-injection-authenticated/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-48119",
"datePublished": "2024-10-14T00:00:00",
"dateReserved": "2024-10-08T00:00:00",
"dateUpdated": "2024-10-17T17:32:57.909Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-44777 (GCVE-0-2024-44777)
Vulnerability from cvelistv5
Published
2024-08-29 00:00
Modified
2024-08-29 19:07
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A reflected cross-site scripting (XSS) vulnerability in the tag parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "vtiger_crm",
"vendor": "vtiger",
"versions": [
{
"status": "affected",
"version": "7.4.0"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-44777",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-29T19:06:47.240923Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T19:07:31.796Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A reflected cross-site scripting (XSS) vulnerability in the tag parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user\u0027s browser via injecting a crafted payload."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T17:49:33.095481",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://vtiger.com"
},
{
"url": "https://packetstormsecurity.com/files/180462/vTiger-CRM-7.4.0-Cross-Site-Scripting.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-44777",
"datePublished": "2024-08-29T00:00:00",
"dateReserved": "2024-08-21T00:00:00",
"dateUpdated": "2024-08-29T19:07:31.796Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2009-3248 (GCVE-0-2009-3248)
Vulnerability from cvelistv5
Published
2009-09-18 20:00
Modified
2024-08-07 06:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site request forgery (CSRF) vulnerability in the RSS module in vtiger CRM 5.0.4 allows remote attackers to hijack the authentication of Admin users for requests that modify the news feed system via the rssurl parameter in a Save action to index.php.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.ush.it/2009/08/18/vtiger-crm-504-multiple-vulnerabilities/ | x_refsource_MISC | |
| http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt | x_refsource_MISC | |
| http://www.exploit-db.com/exploits/9450 | exploit, x_refsource_EXPLOIT-DB | |
| http://marc.info/?l=bugtraq&m=125060676515670&w=2 | mailing-list, x_refsource_BUGTRAQ | |
| http://www.securityfocus.com/bid/36062 | vdb-entry, x_refsource_BID | |
| http://www.osvdb.org/57238 | vdb-entry, x_refsource_OSVDB | |
| http://secunia.com/advisories/36309 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.vupen.com/english/advisories/2009/2319 | vdb-entry, x_refsource_VUPEN |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T06:22:24.888Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.ush.it/2009/08/18/vtiger-crm-504-multiple-vulnerabilities/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt"
},
{
"name": "9450",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/9450"
},
{
"name": "20090818 Vtiger CRM 5.0.4 Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=125060676515670\u0026w=2"
},
{
"name": "36062",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/36062"
},
{
"name": "57238",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/57238"
},
{
"name": "36309",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/36309"
},
{
"name": "ADV-2009-2319",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2009/2319"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2009-08-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in the RSS module in vtiger CRM 5.0.4 allows remote attackers to hijack the authentication of Admin users for requests that modify the news feed system via the rssurl parameter in a Save action to index.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-18T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.ush.it/2009/08/18/vtiger-crm-504-multiple-vulnerabilities/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt"
},
{
"name": "9450",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/9450"
},
{
"name": "20090818 Vtiger CRM 5.0.4 Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://marc.info/?l=bugtraq\u0026m=125060676515670\u0026w=2"
},
{
"name": "36062",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/36062"
},
{
"name": "57238",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/57238"
},
{
"name": "36309",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/36309"
},
{
"name": "ADV-2009-2319",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2009/2319"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2009-3248",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in the RSS module in vtiger CRM 5.0.4 allows remote attackers to hijack the authentication of Admin users for requests that modify the news feed system via the rssurl parameter in a Save action to index.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.ush.it/2009/08/18/vtiger-crm-504-multiple-vulnerabilities/",
"refsource": "MISC",
"url": "http://www.ush.it/2009/08/18/vtiger-crm-504-multiple-vulnerabilities/"
},
{
"name": "http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt",
"refsource": "MISC",
"url": "http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt"
},
{
"name": "9450",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/9450"
},
{
"name": "20090818 Vtiger CRM 5.0.4 Multiple Vulnerabilities",
"refsource": "BUGTRAQ",
"url": "http://marc.info/?l=bugtraq\u0026m=125060676515670\u0026w=2"
},
{
"name": "36062",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/36062"
},
{
"name": "57238",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/57238"
},
{
"name": "36309",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/36309"
},
{
"name": "ADV-2009-2319",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2009/2319"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2009-3248",
"datePublished": "2009-09-18T20:00:00",
"dateReserved": "2009-09-18T00:00:00",
"dateUpdated": "2024-08-07T06:22:24.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-44778 (GCVE-0-2024-44778)
Vulnerability from cvelistv5
Published
2024-08-29 00:00
Modified
2024-08-29 19:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A reflected cross-site scripting (XSS) vulnerability in the parent parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "vtiger_crm",
"vendor": "vtiger",
"versions": [
{
"status": "affected",
"version": "7.4.0"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-44778",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-29T19:04:46.600613Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T19:05:39.451Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A reflected cross-site scripting (XSS) vulnerability in the parent parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user\u0027s browser via injecting a crafted payload."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T17:51:45.689467",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://vtiger.com"
},
{
"url": "https://packetstormsecurity.com/files/180462/vTiger-CRM-7.4.0-Cross-Site-Scripting.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-44778",
"datePublished": "2024-08-29T00:00:00",
"dateReserved": "2024-08-21T00:00:00",
"dateUpdated": "2024-08-29T19:05:39.451Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2007-3617 (GCVE-0-2007-3617)
Vulnerability from cvelistv5
Published
2007-07-06 19:00
Modified
2024-08-07 14:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The report module in vtiger CRM before 5.0.3 does not properly apply security rules, which allows remote authenticated users to read arbitrary private module entries.
References
| ▼ | URL | Tags |
|---|---|---|
| http://trac.vtiger.com/cgi-bin/trac.cgi/report/9 | x_refsource_CONFIRM | |
| http://osvdb.org/45804 | vdb-entry, x_refsource_OSVDB | |
| http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2692 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T14:21:36.490Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
},
{
"name": "45804",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/45804"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2692"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2007-05-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The report module in vtiger CRM before 5.0.3 does not properly apply security rules, which allows remote authenticated users to read arbitrary private module entries."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2008-11-13T10:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
},
{
"name": "45804",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/45804"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2692"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2007-3617",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The report module in vtiger CRM before 5.0.3 does not properly apply security rules, which allows remote authenticated users to read arbitrary private module entries."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9",
"refsource": "CONFIRM",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
},
{
"name": "45804",
"refsource": "OSVDB",
"url": "http://osvdb.org/45804"
},
{
"name": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2692",
"refsource": "CONFIRM",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2692"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2007-3617",
"datePublished": "2007-07-06T19:00:00",
"dateReserved": "2007-07-06T00:00:00",
"dateUpdated": "2024-08-07T14:21:36.490Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-2269 (GCVE-0-2014-2269)
Vulnerability from cvelistv5
Published
2014-04-21 14:00
Modified
2024-08-06 10:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
modules/Users/ForgotPassword.php in vTiger 6.0 before Security Patch 2 allows remote attackers to reset the password for arbitrary users via a request containing the username, password, and confirmPassword parameters.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/66758 | vdb-entry, x_refsource_BID | |
| http://vtiger-crm.2324883.n4.nabble.com/Vtigercrm-developers-IMP-forgot-password-and-re-installation-security-fix-tt9786.html | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:06:00.272Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "66758",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/66758"
},
{
"name": "[Vtigercrm-developers] 20140316 IMP: forgot password and re-installation security fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://vtiger-crm.2324883.n4.nabble.com/Vtigercrm-developers-IMP-forgot-password-and-re-installation-security-fix-tt9786.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-03-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "modules/Users/ForgotPassword.php in vTiger 6.0 before Security Patch 2 allows remote attackers to reset the password for arbitrary users via a request containing the username, password, and confirmPassword parameters."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-04-21T11:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "66758",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/66758"
},
{
"name": "[Vtigercrm-developers] 20140316 IMP: forgot password and re-installation security fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://vtiger-crm.2324883.n4.nabble.com/Vtigercrm-developers-IMP-forgot-password-and-re-installation-security-fix-tt9786.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-2269",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "modules/Users/ForgotPassword.php in vTiger 6.0 before Security Patch 2 allows remote attackers to reset the password for arbitrary users via a request containing the username, password, and confirmPassword parameters."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "66758",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/66758"
},
{
"name": "[Vtigercrm-developers] 20140316 IMP: forgot password and re-installation security fix",
"refsource": "MLIST",
"url": "http://vtiger-crm.2324883.n4.nabble.com/Vtigercrm-developers-IMP-forgot-password-and-re-installation-security-fix-tt9786.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-2269",
"datePublished": "2014-04-21T14:00:00",
"dateReserved": "2014-03-04T00:00:00",
"dateUpdated": "2024-08-06T10:06:00.272Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-22807 (GCVE-0-2020-22807)
Vulnerability from cvelistv5
Published
2021-04-29 18:17
Modified
2024-08-04 14:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was dicovered in vtiger crm 7.2. Union sql injection in the calendar exportdata feature.
References
| ▼ | URL | Tags |
|---|---|---|
| https://cloud.tencent.com/developer/article/1612208 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:51:11.131Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cloud.tencent.com/developer/article/1612208"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2020-04-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was dicovered in vtiger crm 7.2. Union sql injection in the calendar exportdata feature."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-29T18:17:51",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cloud.tencent.com/developer/article/1612208"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-22807",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was dicovered in vtiger crm 7.2. Union sql injection in the calendar exportdata feature."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cloud.tencent.com/developer/article/1612208",
"refsource": "MISC",
"url": "https://cloud.tencent.com/developer/article/1612208"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-22807",
"datePublished": "2021-04-29T18:17:51",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:51:11.131Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2007-3603 (GCVE-0-2007-3603)
Vulnerability from cvelistv5
Published
2007-07-06 19:00
Modified
2024-08-07 14:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
SQL injection vulnerability in the dashboard (include/utils/SearchUtils.php) in vtiger CRM before 5.0.3 allows remote authenticated users to execute arbitrary SQL commands via the assigned_user_id parameter in a Potentials ListView action to index.php.
References
| ▼ | URL | Tags |
|---|---|---|
| http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3196 | x_refsource_CONFIRM | |
| http://forums.vtiger.com/viewtopic.php?p=44717 | x_refsource_CONFIRM | |
| http://trac.vtiger.com/cgi-bin/trac.cgi/report/9 | x_refsource_CONFIRM | |
| http://osvdb.org/45782 | vdb-entry, x_refsource_OSVDB | |
| http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/10423 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T14:21:36.399Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3196"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://forums.vtiger.com/viewtopic.php?p=44717"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
},
{
"name": "45782",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/45782"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/10423"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2007-05-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in the dashboard (include/utils/SearchUtils.php) in vtiger CRM before 5.0.3 allows remote authenticated users to execute arbitrary SQL commands via the assigned_user_id parameter in a Potentials ListView action to index.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2008-11-13T10:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3196"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://forums.vtiger.com/viewtopic.php?p=44717"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
},
{
"name": "45782",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/45782"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/10423"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2007-3603",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in the dashboard (include/utils/SearchUtils.php) in vtiger CRM before 5.0.3 allows remote authenticated users to execute arbitrary SQL commands via the assigned_user_id parameter in a Potentials ListView action to index.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3196",
"refsource": "CONFIRM",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3196"
},
{
"name": "http://forums.vtiger.com/viewtopic.php?p=44717",
"refsource": "CONFIRM",
"url": "http://forums.vtiger.com/viewtopic.php?p=44717"
},
{
"name": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9",
"refsource": "CONFIRM",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
},
{
"name": "45782",
"refsource": "OSVDB",
"url": "http://osvdb.org/45782"
},
{
"name": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/10423",
"refsource": "MISC",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/10423"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2007-3603",
"datePublished": "2007-07-06T19:00:00",
"dateReserved": "2007-07-06T00:00:00",
"dateUpdated": "2024-08-07T14:21:36.399Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-8047 (GCVE-0-2018-8047)
Vulnerability from cvelistv5
Published
2019-06-06 18:21
Modified
2024-08-05 06:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
vtiger CRM 7.0.1 is affected by one reflected Cross-Site Scripting (XSS) vulnerability affecting version 7.0.1 and probably prior versions. This vulnerability could allow remote unauthenticated attackers to inject arbitrary web script or HTML via index.php?module=Contacts&view=List (app parameter).
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2018-001 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:46:12.276Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2018-001"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "vtiger CRM 7.0.1 is affected by one reflected Cross-Site Scripting (XSS) vulnerability affecting version 7.0.1 and probably prior versions. This vulnerability could allow remote unauthenticated attackers to inject arbitrary web script or HTML via index.php?module=Contacts\u0026view=List (app parameter)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-06T18:21:40",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2018-001"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-8047",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "vtiger CRM 7.0.1 is affected by one reflected Cross-Site Scripting (XSS) vulnerability affecting version 7.0.1 and probably prior versions. This vulnerability could allow remote unauthenticated attackers to inject arbitrary web script or HTML via index.php?module=Contacts\u0026view=List (app parameter)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2018-001",
"refsource": "MISC",
"url": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2018-001"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-8047",
"datePublished": "2019-06-06T18:21:40",
"dateReserved": "2018-03-11T00:00:00",
"dateUpdated": "2024-08-05T06:46:12.276Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2007-3601 (GCVE-0-2007-3601)
Vulnerability from cvelistv5
Published
2007-07-06 19:00
Modified
2024-08-07 14:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
vtiger CRM before 5.0.3, when a migrated build is used, allows remote authenticated users to read certain other users' calendar activities via a (1) home page or (2) event list view.
References
| ▼ | URL | Tags |
|---|---|---|
| http://osvdb.org/45785 | vdb-entry, x_refsource_OSVDB | |
| http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3990 | x_refsource_CONFIRM | |
| http://trac.vtiger.com/cgi-bin/trac.cgi/report/9 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T14:21:36.407Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "45785",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/45785"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3990"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2007-05-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "vtiger CRM before 5.0.3, when a migrated build is used, allows remote authenticated users to read certain other users\u0027 calendar activities via a (1) home page or (2) event list view."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2008-11-15T10:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "45785",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/45785"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3990"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2007-3601",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "vtiger CRM before 5.0.3, when a migrated build is used, allows remote authenticated users to read certain other users\u0027 calendar activities via a (1) home page or (2) event list view."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "45785",
"refsource": "OSVDB",
"url": "http://osvdb.org/45785"
},
{
"name": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3990",
"refsource": "CONFIRM",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3990"
},
{
"name": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9",
"refsource": "CONFIRM",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2007-3601",
"datePublished": "2007-07-06T19:00:00",
"dateReserved": "2007-07-06T00:00:00",
"dateUpdated": "2024-08-07T14:21:36.407Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2008-3101 (GCVE-0-2008-3101)
Vulnerability from cvelistv5
Published
2008-09-03 14:00
Modified
2024-08-07 09:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to inject arbitrary web script or HTML via (1) the parenttab parameter in an index action to the Products module, as reachable through index.php; (2) the user_password parameter in an Authenticate action to the Users module, as reachable through index.php; or (3) the query_string parameter in a UnifiedSearch action to the Home module, as reachable through index.php.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/30951 | vdb-entry, x_refsource_BID | |
| http://www.datensalat.eu/~fabian/cve/CVE-2008-3101-vtigerCRM.html | x_refsource_MISC | |
| http://www.vtiger.de/vtiger-crm/downloads/patches.html?tx_abdownloads_pi1%5Baction%5D=getviewdetailsfordownload&tx_abdownloads_pi1%5Buid%5D=128&tx_abdownloads_pi1%5Bcategory_uid%5D=5&cHash=e16be773a5 | x_refsource_MISC | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/44792 | vdb-entry, x_refsource_XF | |
| http://securityreason.com/securityalert/4208 | third-party-advisory, x_refsource_SREASON | |
| http://www.vupen.com/english/advisories/2008/2471 | vdb-entry, x_refsource_VUPEN | |
| http://secunia.com/advisories/31679 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.securityfocus.com/archive/1/495885/100/0/threaded | mailing-list, x_refsource_BUGTRAQ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T09:28:40.486Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "30951",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/30951"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.datensalat.eu/~fabian/cve/CVE-2008-3101-vtigerCRM.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.vtiger.de/vtiger-crm/downloads/patches.html?tx_abdownloads_pi1%5Baction%5D=getviewdetailsfordownload\u0026tx_abdownloads_pi1%5Buid%5D=128\u0026tx_abdownloads_pi1%5Bcategory_uid%5D=5\u0026cHash=e16be773a5"
},
{
"name": "vtigercrm-index-xss(44792)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44792"
},
{
"name": "4208",
"tags": [
"third-party-advisory",
"x_refsource_SREASON",
"x_transferred"
],
"url": "http://securityreason.com/securityalert/4208"
},
{
"name": "ADV-2008-2471",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2008/2471"
},
{
"name": "31679",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/31679"
},
{
"name": "20080901 Multiple Cross Site Scripting (XSS) Vulnerabilities in vtigerCRM 5.0.4, CVE-2008-3101",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/495885/100/0/threaded"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-09-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to inject arbitrary web script or HTML via (1) the parenttab parameter in an index action to the Products module, as reachable through index.php; (2) the user_password parameter in an Authenticate action to the Users module, as reachable through index.php; or (3) the query_string parameter in a UnifiedSearch action to the Home module, as reachable through index.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-11T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "30951",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/30951"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.datensalat.eu/~fabian/cve/CVE-2008-3101-vtigerCRM.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.vtiger.de/vtiger-crm/downloads/patches.html?tx_abdownloads_pi1%5Baction%5D=getviewdetailsfordownload\u0026tx_abdownloads_pi1%5Buid%5D=128\u0026tx_abdownloads_pi1%5Bcategory_uid%5D=5\u0026cHash=e16be773a5"
},
{
"name": "vtigercrm-index-xss(44792)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44792"
},
{
"name": "4208",
"tags": [
"third-party-advisory",
"x_refsource_SREASON"
],
"url": "http://securityreason.com/securityalert/4208"
},
{
"name": "ADV-2008-2471",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2008/2471"
},
{
"name": "31679",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/31679"
},
{
"name": "20080901 Multiple Cross Site Scripting (XSS) Vulnerabilities in vtigerCRM 5.0.4, CVE-2008-3101",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/495885/100/0/threaded"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-3101",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to inject arbitrary web script or HTML via (1) the parenttab parameter in an index action to the Products module, as reachable through index.php; (2) the user_password parameter in an Authenticate action to the Users module, as reachable through index.php; or (3) the query_string parameter in a UnifiedSearch action to the Home module, as reachable through index.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "30951",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/30951"
},
{
"name": "http://www.datensalat.eu/~fabian/cve/CVE-2008-3101-vtigerCRM.html",
"refsource": "MISC",
"url": "http://www.datensalat.eu/~fabian/cve/CVE-2008-3101-vtigerCRM.html"
},
{
"name": "http://www.vtiger.de/vtiger-crm/downloads/patches.html?tx_abdownloads_pi1[action]=getviewdetailsfordownload\u0026tx_abdownloads_pi1[uid]=128\u0026tx_abdownloads_pi1[category_uid]=5\u0026cHash=e16be773a5",
"refsource": "MISC",
"url": "http://www.vtiger.de/vtiger-crm/downloads/patches.html?tx_abdownloads_pi1[action]=getviewdetailsfordownload\u0026tx_abdownloads_pi1[uid]=128\u0026tx_abdownloads_pi1[category_uid]=5\u0026cHash=e16be773a5"
},
{
"name": "vtigercrm-index-xss(44792)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44792"
},
{
"name": "4208",
"refsource": "SREASON",
"url": "http://securityreason.com/securityalert/4208"
},
{
"name": "ADV-2008-2471",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2008/2471"
},
{
"name": "31679",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/31679"
},
{
"name": "20080901 Multiple Cross Site Scripting (XSS) Vulnerabilities in vtigerCRM 5.0.4, CVE-2008-3101",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/495885/100/0/threaded"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-3101",
"datePublished": "2008-09-03T14:00:00",
"dateReserved": "2008-07-09T00:00:00",
"dateUpdated": "2024-08-07T09:28:40.486Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2007-3600 (GCVE-0-2007-3600)
Vulnerability from cvelistv5
Published
2007-07-06 19:00
Modified
2024-08-07 14:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
WordPlugin in the wordintegration component in vtiger CRM before 5.0.3 allows remote authenticated users to bypass field level security permissions and merge arbitrary fields in an Email template, as demonstrated by the fields in the Contact module.
References
| ▼ | URL | Tags |
|---|---|---|
| http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3790 | x_refsource_CONFIRM | |
| http://osvdb.org/45784 | vdb-entry, x_refsource_OSVDB | |
| http://trac.vtiger.com/cgi-bin/trac.cgi/report/9 | x_refsource_CONFIRM | |
| http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/10845 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T14:21:36.464Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3790"
},
{
"name": "45784",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/45784"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/10845"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2007-05-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "WordPlugin in the wordintegration component in vtiger CRM before 5.0.3 allows remote authenticated users to bypass field level security permissions and merge arbitrary fields in an Email template, as demonstrated by the fields in the Contact module."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2008-11-15T10:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3790"
},
{
"name": "45784",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/45784"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/10845"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2007-3600",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "WordPlugin in the wordintegration component in vtiger CRM before 5.0.3 allows remote authenticated users to bypass field level security permissions and merge arbitrary fields in an Email template, as demonstrated by the fields in the Contact module."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3790",
"refsource": "CONFIRM",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3790"
},
{
"name": "45784",
"refsource": "OSVDB",
"url": "http://osvdb.org/45784"
},
{
"name": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9",
"refsource": "CONFIRM",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
},
{
"name": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/10845",
"refsource": "MISC",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/10845"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2007-3600",
"datePublished": "2007-07-06T19:00:00",
"dateReserved": "2007-07-06T00:00:00",
"dateUpdated": "2024-08-07T14:21:36.464Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-7326 (GCVE-0-2013-7326)
Vulnerability from cvelistv5
Published
2014-02-14 19:00
Modified
2024-08-06 18:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in vTiger CRM 5.4.0 allows remote attackers to inject arbitrary web script or HTML via the (1) return_url parameter to modules\com_vtiger_workflow\savetemplate.php, or unspecified vectors to (2) deletetask.php, (3) edittask.php, (4) savetask.php, or (5) saveworkflow.php.
References
| ▼ | URL | Tags |
|---|---|---|
| https://exchange.xforce.ibmcloud.com/vulnerabilities/89662 | vdb-entry, x_refsource_XF | |
| http://packetstormsecurity.com/files/124402 | x_refsource_MISC | |
| http://osvdb.org/100897 | vdb-entry, x_refsource_OSVDB | |
| http://archives.neohapsis.com/archives/bugtraq/2013-12/0052.html | mailing-list, x_refsource_BUGTRAQ | |
| http://www.enkomio.com/Advisory/SOJOBO-ADV-13-05 | x_refsource_MISC | |
| http://www.securityfocus.com/bid/64236 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T18:01:20.394Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "vtiger-multiple-xss(89662)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89662"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/124402"
},
{
"name": "100897",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/100897"
},
{
"name": "20131211 [SOJOBO-ADV-13-05] - Vtiger 5.4.0 Reflected Cross Site Scripting",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-12/0052.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.enkomio.com/Advisory/SOJOBO-ADV-13-05"
},
{
"name": "64236",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/64236"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-12-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in vTiger CRM 5.4.0 allows remote attackers to inject arbitrary web script or HTML via the (1) return_url parameter to modules\\com_vtiger_workflow\\savetemplate.php, or unspecified vectors to (2) deletetask.php, (3) edittask.php, (4) savetask.php, or (5) saveworkflow.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "vtiger-multiple-xss(89662)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89662"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/124402"
},
{
"name": "100897",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/100897"
},
{
"name": "20131211 [SOJOBO-ADV-13-05] - Vtiger 5.4.0 Reflected Cross Site Scripting",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-12/0052.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.enkomio.com/Advisory/SOJOBO-ADV-13-05"
},
{
"name": "64236",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/64236"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-7326",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in vTiger CRM 5.4.0 allows remote attackers to inject arbitrary web script or HTML via the (1) return_url parameter to modules\\com_vtiger_workflow\\savetemplate.php, or unspecified vectors to (2) deletetask.php, (3) edittask.php, (4) savetask.php, or (5) saveworkflow.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "vtiger-multiple-xss(89662)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89662"
},
{
"name": "http://packetstormsecurity.com/files/124402",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/124402"
},
{
"name": "100897",
"refsource": "OSVDB",
"url": "http://osvdb.org/100897"
},
{
"name": "20131211 [SOJOBO-ADV-13-05] - Vtiger 5.4.0 Reflected Cross Site Scripting",
"refsource": "BUGTRAQ",
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-12/0052.html"
},
{
"name": "http://www.enkomio.com/Advisory/SOJOBO-ADV-13-05",
"refsource": "MISC",
"url": "http://www.enkomio.com/Advisory/SOJOBO-ADV-13-05"
},
{
"name": "64236",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/64236"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-7326",
"datePublished": "2014-02-14T19:00:00",
"dateReserved": "2014-02-14T00:00:00",
"dateUpdated": "2024-08-06T18:01:20.394Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2005-3820 (GCVE-0-2005-3820)
Vulnerability from cvelistv5
Published
2005-11-26 02:00
Modified
2024-08-07 23:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple directory traversal vulnerabilities in index.php in vTiger CRM 4.2 and earlier allow remote attackers to read or include arbitrary files, an ultimately execute arbitrary PHP code, via .. (dot dot) and null byte ("%00") sequences in the (1) module parameter and (2) action parameter in the Leads module, as also demonstrated by injecting PHP code into log messages and accessing the log file.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/archive/1/417711/30/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://www.securityfocus.com/bid/15569 | vdb-entry, x_refsource_BID | |
| http://www.vupen.com/english/advisories/2005/2569 | vdb-entry, x_refsource_VUPEN | |
| http://www.hardened-php.net/advisory_232005.105.html | x_refsource_MISC | |
| http://www.securityfocus.com/bid/15562 | vdb-entry, x_refsource_BID | |
| http://securitytracker.com/id?1015271 | vdb-entry, x_refsource_SECTRACK | |
| http://www.securityfocus.com/archive/1/417730/30/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://securitytracker.com/id?1015274 | vdb-entry, x_refsource_SECTRACK | |
| http://marc.info/?l=full-disclosure&m=113290708121951&w=2 | mailing-list, x_refsource_FULLDISC | |
| http://secunia.com/advisories/17693 | third-party-advisory, x_refsource_SECUNIA |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T23:24:36.447Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20051125 SEC Consult SA-20051125-0 :: More Vulnerabilities in vTiger CRM",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/417711/30/0/threaded"
},
{
"name": "15569",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/15569"
},
{
"name": "ADV-2005-2569",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2005/2569"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.hardened-php.net/advisory_232005.105.html"
},
{
"name": "15562",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/15562"
},
{
"name": "1015271",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://securitytracker.com/id?1015271"
},
{
"name": "20051124 Advisory 23/2005: vTiger multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/417730/30/0/threaded"
},
{
"name": "1015274",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://securitytracker.com/id?1015274"
},
{
"name": "20051125 SEC Consult SA-20051125-0 :: More Vulnerabilities in vTiger CRM",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://marc.info/?l=full-disclosure\u0026m=113290708121951\u0026w=2"
},
{
"name": "17693",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/17693"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2005-11-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple directory traversal vulnerabilities in index.php in vTiger CRM 4.2 and earlier allow remote attackers to read or include arbitrary files, an ultimately execute arbitrary PHP code, via .. (dot dot) and null byte (\"%00\") sequences in the (1) module parameter and (2) action parameter in the Leads module, as also demonstrated by injecting PHP code into log messages and accessing the log file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-19T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20051125 SEC Consult SA-20051125-0 :: More Vulnerabilities in vTiger CRM",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/417711/30/0/threaded"
},
{
"name": "15569",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/15569"
},
{
"name": "ADV-2005-2569",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2005/2569"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.hardened-php.net/advisory_232005.105.html"
},
{
"name": "15562",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/15562"
},
{
"name": "1015271",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://securitytracker.com/id?1015271"
},
{
"name": "20051124 Advisory 23/2005: vTiger multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/417730/30/0/threaded"
},
{
"name": "1015274",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://securitytracker.com/id?1015274"
},
{
"name": "20051125 SEC Consult SA-20051125-0 :: More Vulnerabilities in vTiger CRM",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://marc.info/?l=full-disclosure\u0026m=113290708121951\u0026w=2"
},
{
"name": "17693",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/17693"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2005-3820",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple directory traversal vulnerabilities in index.php in vTiger CRM 4.2 and earlier allow remote attackers to read or include arbitrary files, an ultimately execute arbitrary PHP code, via .. (dot dot) and null byte (\"%00\") sequences in the (1) module parameter and (2) action parameter in the Leads module, as also demonstrated by injecting PHP code into log messages and accessing the log file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20051125 SEC Consult SA-20051125-0 :: More Vulnerabilities in vTiger CRM",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/417711/30/0/threaded"
},
{
"name": "15569",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/15569"
},
{
"name": "ADV-2005-2569",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2005/2569"
},
{
"name": "http://www.hardened-php.net/advisory_232005.105.html",
"refsource": "MISC",
"url": "http://www.hardened-php.net/advisory_232005.105.html"
},
{
"name": "15562",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/15562"
},
{
"name": "1015271",
"refsource": "SECTRACK",
"url": "http://securitytracker.com/id?1015271"
},
{
"name": "20051124 Advisory 23/2005: vTiger multiple vulnerabilities",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/417730/30/0/threaded"
},
{
"name": "1015274",
"refsource": "SECTRACK",
"url": "http://securitytracker.com/id?1015274"
},
{
"name": "20051125 SEC Consult SA-20051125-0 :: More Vulnerabilities in vTiger CRM",
"refsource": "FULLDISC",
"url": "http://marc.info/?l=full-disclosure\u0026m=113290708121951\u0026w=2"
},
{
"name": "17693",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/17693"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2005-3820",
"datePublished": "2005-11-26T02:00:00",
"dateReserved": "2005-11-26T00:00:00",
"dateUpdated": "2024-08-07T23:24:36.447Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-44776 (GCVE-0-2024-44776)
Vulnerability from cvelistv5
Published
2024-08-29 00:00
Modified
2025-03-25 16:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An Open Redirect vulnerability in the page parameter of vTiger CRM v7.4.0 allows attackers to redirect users to a malicious site via a crafted URL.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-44776",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-29T19:09:10.787930Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T16:10:43.727Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An Open Redirect vulnerability in the page parameter of vTiger CRM v7.4.0 allows attackers to redirect users to a malicious site via a crafted URL."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T17:44:52.296Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://vtiger.com"
},
{
"url": "https://packetstormsecurity.com/files/180461/vTiger-CRM-7.4.0-Open-Redirection.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-44776",
"datePublished": "2024-08-29T00:00:00.000Z",
"dateReserved": "2024-08-21T00:00:00.000Z",
"dateUpdated": "2025-03-25T16:10:43.727Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2007-3604 (GCVE-0-2007-3604)
Vulnerability from cvelistv5
Published
2007-07-06 19:00
Modified
2024-08-07 14:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
vtiger CRM before 5.0.3 allows remote authenticated users with access to the Analytics DashBoard menu to bypass data restrictions and read the pipeline of the entire organization, possibly involving modules/Potentials/Potentials.php.
References
| ▼ | URL | Tags |
|---|---|---|
| http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3196 | x_refsource_CONFIRM | |
| http://forums.vtiger.com/viewtopic.php?p=44717 | x_refsource_CONFIRM | |
| http://trac.vtiger.com/cgi-bin/trac.cgi/report/9 | x_refsource_CONFIRM | |
| http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/10423 | x_refsource_MISC | |
| http://osvdb.org/45783 | vdb-entry, x_refsource_OSVDB |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T14:21:36.598Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3196"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://forums.vtiger.com/viewtopic.php?p=44717"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/10423"
},
{
"name": "45783",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/45783"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2007-05-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "vtiger CRM before 5.0.3 allows remote authenticated users with access to the Analytics DashBoard menu to bypass data restrictions and read the pipeline of the entire organization, possibly involving modules/Potentials/Potentials.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2008-11-13T10:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3196"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://forums.vtiger.com/viewtopic.php?p=44717"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/10423"
},
{
"name": "45783",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/45783"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2007-3604",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "vtiger CRM before 5.0.3 allows remote authenticated users with access to the Analytics DashBoard menu to bypass data restrictions and read the pipeline of the entire organization, possibly involving modules/Potentials/Potentials.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3196",
"refsource": "CONFIRM",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3196"
},
{
"name": "http://forums.vtiger.com/viewtopic.php?p=44717",
"refsource": "CONFIRM",
"url": "http://forums.vtiger.com/viewtopic.php?p=44717"
},
{
"name": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9",
"refsource": "CONFIRM",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
},
{
"name": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/10423",
"refsource": "MISC",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/10423"
},
{
"name": "45783",
"refsource": "OSVDB",
"url": "http://osvdb.org/45783"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2007-3604",
"datePublished": "2007-07-06T19:00:00",
"dateReserved": "2007-07-06T00:00:00",
"dateUpdated": "2024-08-07T14:21:36.598Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2010-3909 (GCVE-0-2010-3909)
Vulnerability from cvelistv5
Published
2010-11-26 19:00
Modified
2024-08-07 03:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Incomplete blacklist vulnerability in config.template.php in vtiger CRM before 5.2.1 allows remote authenticated users to execute arbitrary code by using the draft save feature in the Compose Mail component to upload a file with a .phtml extension, and then accessing this file via a direct request to the file in the storage/ directory tree.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt | x_refsource_MISC | |
| http://vtiger.com/blogs/2010/11/16/vtiger-crm-521-is-released/ | x_refsource_MISC | |
| http://secunia.com/advisories/42246 | third-party-advisory, x_refsource_SECUNIA | |
| http://wiki.vtiger.com/index.php/Vtiger521:Release_Notes | x_refsource_MISC | |
| http://www.securityfocus.com/archive/1/514846/100/0/threaded | mailing-list, x_refsource_BUGTRAQ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T03:26:12.289Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://vtiger.com/blogs/2010/11/16/vtiger-crm-521-is-released/"
},
{
"name": "42246",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/42246"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://wiki.vtiger.com/index.php/Vtiger521:Release_Notes"
},
{
"name": "20101116 Vtiger CRM 5.2.0 Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/514846/100/0/threaded"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-11-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Incomplete blacklist vulnerability in config.template.php in vtiger CRM before 5.2.1 allows remote authenticated users to execute arbitrary code by using the draft save feature in the Compose Mail component to upload a file with a .phtml extension, and then accessing this file via a direct request to the file in the storage/ directory tree."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-10T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://vtiger.com/blogs/2010/11/16/vtiger-crm-521-is-released/"
},
{
"name": "42246",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/42246"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://wiki.vtiger.com/index.php/Vtiger521:Release_Notes"
},
{
"name": "20101116 Vtiger CRM 5.2.0 Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/514846/100/0/threaded"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2010-3909",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Incomplete blacklist vulnerability in config.template.php in vtiger CRM before 5.2.1 allows remote authenticated users to execute arbitrary code by using the draft save feature in the Compose Mail component to upload a file with a .phtml extension, and then accessing this file via a direct request to the file in the storage/ directory tree."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt",
"refsource": "MISC",
"url": "http://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt"
},
{
"name": "http://vtiger.com/blogs/2010/11/16/vtiger-crm-521-is-released/",
"refsource": "MISC",
"url": "http://vtiger.com/blogs/2010/11/16/vtiger-crm-521-is-released/"
},
{
"name": "42246",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/42246"
},
{
"name": "http://wiki.vtiger.com/index.php/Vtiger521:Release_Notes",
"refsource": "MISC",
"url": "http://wiki.vtiger.com/index.php/Vtiger521:Release_Notes"
},
{
"name": "20101116 Vtiger CRM 5.2.0 Multiple Vulnerabilities",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/514846/100/0/threaded"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2010-3909",
"datePublished": "2010-11-26T19:00:00",
"dateReserved": "2010-10-12T00:00:00",
"dateUpdated": "2024-08-07T03:26:12.289Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2005-3823 (GCVE-0-2005-3823)
Vulnerability from cvelistv5
Published
2005-11-26 02:00
Modified
2024-08-07 23:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Users module in vTiger CRM 4.2 and earlier allows remote attackers to execute arbitrary PHP code via an arbitrary file in the templatename parameter, which is passed to the eval function.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/archive/1/417711/30/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://www.securityfocus.com/bid/15569 | vdb-entry, x_refsource_BID | |
| http://www.vupen.com/english/advisories/2005/2569 | vdb-entry, x_refsource_VUPEN | |
| http://securitytracker.com/id?1015274 | vdb-entry, x_refsource_SECTRACK | |
| http://marc.info/?l=full-disclosure&m=113290708121951&w=2 | mailing-list, x_refsource_FULLDISC | |
| http://secunia.com/advisories/17693 | third-party-advisory, x_refsource_SECUNIA |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T23:24:36.311Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20051125 SEC Consult SA-20051125-0 :: More Vulnerabilities in vTiger CRM",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/417711/30/0/threaded"
},
{
"name": "15569",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/15569"
},
{
"name": "ADV-2005-2569",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2005/2569"
},
{
"name": "1015274",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://securitytracker.com/id?1015274"
},
{
"name": "20051125 SEC Consult SA-20051125-0 :: More Vulnerabilities in vTiger CRM",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://marc.info/?l=full-disclosure\u0026m=113290708121951\u0026w=2"
},
{
"name": "17693",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/17693"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2005-11-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Users module in vTiger CRM 4.2 and earlier allows remote attackers to execute arbitrary PHP code via an arbitrary file in the templatename parameter, which is passed to the eval function."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-19T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20051125 SEC Consult SA-20051125-0 :: More Vulnerabilities in vTiger CRM",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/417711/30/0/threaded"
},
{
"name": "15569",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/15569"
},
{
"name": "ADV-2005-2569",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2005/2569"
},
{
"name": "1015274",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://securitytracker.com/id?1015274"
},
{
"name": "20051125 SEC Consult SA-20051125-0 :: More Vulnerabilities in vTiger CRM",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://marc.info/?l=full-disclosure\u0026m=113290708121951\u0026w=2"
},
{
"name": "17693",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/17693"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2005-3823",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Users module in vTiger CRM 4.2 and earlier allows remote attackers to execute arbitrary PHP code via an arbitrary file in the templatename parameter, which is passed to the eval function."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20051125 SEC Consult SA-20051125-0 :: More Vulnerabilities in vTiger CRM",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/417711/30/0/threaded"
},
{
"name": "15569",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/15569"
},
{
"name": "ADV-2005-2569",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2005/2569"
},
{
"name": "1015274",
"refsource": "SECTRACK",
"url": "http://securitytracker.com/id?1015274"
},
{
"name": "20051125 SEC Consult SA-20051125-0 :: More Vulnerabilities in vTiger CRM",
"refsource": "FULLDISC",
"url": "http://marc.info/?l=full-disclosure\u0026m=113290708121951\u0026w=2"
},
{
"name": "17693",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/17693"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2005-3823",
"datePublished": "2005-11-26T02:00:00",
"dateReserved": "2005-11-26T00:00:00",
"dateUpdated": "2024-08-07T23:24:36.311Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2006-4588 (GCVE-0-2006-4588)
Vulnerability from cvelistv5
Published
2006-09-06 22:00
Modified
2024-08-07 19:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
vtiger CRM 4.2.4, and possibly earlier, allows remote attackers to bypass authentication and access administrative modules via a direct request to index.php with a modified module parameter, as demonstrated using the Settings module.
References
| ▼ | URL | Tags |
|---|---|---|
| http://secunia.com/advisories/21728 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.security-net.biz/adv/D3906a.txt | x_refsource_MISC | |
| http://www.vupen.com/english/advisories/2006/3444 | vdb-entry, x_refsource_VUPEN | |
| http://www.securityfocus.com/bid/19829 | vdb-entry, x_refsource_BID | |
| http://www.osvdb.org/28462 | vdb-entry, x_refsource_OSVDB |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T19:14:47.594Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "21728",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/21728"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.security-net.biz/adv/D3906a.txt"
},
{
"name": "ADV-2006-3444",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2006/3444"
},
{
"name": "19829",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/19829"
},
{
"name": "28462",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/28462"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2006-09-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "vtiger CRM 4.2.4, and possibly earlier, allows remote attackers to bypass authentication and access administrative modules via a direct request to index.php with a modified module parameter, as demonstrated using the Settings module."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2006-09-13T09:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "21728",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/21728"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.security-net.biz/adv/D3906a.txt"
},
{
"name": "ADV-2006-3444",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2006/3444"
},
{
"name": "19829",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/19829"
},
{
"name": "28462",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/28462"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2006-4588",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "vtiger CRM 4.2.4, and possibly earlier, allows remote attackers to bypass authentication and access administrative modules via a direct request to index.php with a modified module parameter, as demonstrated using the Settings module."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "21728",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/21728"
},
{
"name": "http://www.security-net.biz/adv/D3906a.txt",
"refsource": "MISC",
"url": "http://www.security-net.biz/adv/D3906a.txt"
},
{
"name": "ADV-2006-3444",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2006/3444"
},
{
"name": "19829",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/19829"
},
{
"name": "28462",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/28462"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2006-4588",
"datePublished": "2006-09-06T22:00:00",
"dateReserved": "2006-09-06T00:00:00",
"dateUpdated": "2024-08-07T19:14:47.594Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42995 (GCVE-0-2024-42995)
Vulnerability from cvelistv5
Published
2024-08-16 00:00
Modified
2024-08-16 17:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
VTiger CRM <= 8.1.0 does not correctly check user privileges. A low-privileged user can interact directly with the "Migration" administrative module to disable arbitrary modules.
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "vtiger_crm",
"vendor": "vtiger",
"versions": [
{
"lessThanOrEqual": "8.1.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-42995",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-16T17:51:00.562336Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-16T17:53:33.090Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "VTiger CRM \u003c= 8.1.0 does not correctly check user privileges. A low-privileged user can interact directly with the \"Migration\" administrative module to disable arbitrary modules."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-16T16:54:16.270559",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.shielder.com/advisories/vtiger-migration-bac/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-42995",
"datePublished": "2024-08-16T00:00:00",
"dateReserved": "2024-08-05T00:00:00",
"dateUpdated": "2024-08-16T17:53:33.090Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2009-3249 (GCVE-0-2009-3249)
Vulnerability from cvelistv5
Published
2009-09-18 20:00
Modified
2024-08-07 06:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple directory traversal vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the module parameter to graph.php; or the (2) module or (3) file parameter to include/Ajax/CommonAjax.php, reachable through modules/Campaigns/CampaignsAjax.php, modules/SalesOrder/SalesOrderAjax.php, modules/System/SystemAjax.php, modules/Products/ProductsAjax.php, modules/uploads/uploadsAjax.php, modules/Dashboard/DashboardAjax.php, modules/Potentials/PotentialsAjax.php, modules/Notes/NotesAjax.php, modules/Faq/FaqAjax.php, modules/Quotes/QuotesAjax.php, modules/Utilities/UtilitiesAjax.php, modules/Calendar/ActivityAjax.php, modules/Calendar/CalendarAjax.php, modules/PurchaseOrder/PurchaseOrderAjax.php, modules/HelpDesk/HelpDeskAjax.php, modules/Invoice/InvoiceAjax.php, modules/Accounts/AccountsAjax.php, modules/Reports/ReportsAjax.php, modules/Contacts/ContactsAjax.php, and modules/Portal/PortalAjax.php; and allow remote authenticated users to include and execute arbitrary local files via a .. (dot dot) in the step parameter in an Import action to the (4) Accounts, (5) Contacts, (6) HelpDesk, (7) Leads, (8) Potentials, (9) Products, or (10) Vendors module, reachable through index.php and related to modules/Import/index.php and multiple Import.php files.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.ush.it/2009/08/18/vtiger-crm-504-multiple-vulnerabilities/ | x_refsource_MISC | |
| http://securityreason.com/securityalert/8118 | third-party-advisory, x_refsource_SREASON | |
| http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt | x_refsource_MISC | |
| http://www.osvdb.org/57239 | vdb-entry, x_refsource_OSVDB | |
| http://www.exploit-db.com/exploits/9450 | exploit, x_refsource_EXPLOIT-DB | |
| http://marc.info/?l=bugtraq&m=125060676515670&w=2 | mailing-list, x_refsource_BUGTRAQ | |
| http://www.securityfocus.com/bid/36062 | vdb-entry, x_refsource_BID | |
| http://secunia.com/advisories/36309 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.vupen.com/english/advisories/2009/2319 | vdb-entry, x_refsource_VUPEN |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T06:22:23.988Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.ush.it/2009/08/18/vtiger-crm-504-multiple-vulnerabilities/"
},
{
"name": "8118",
"tags": [
"third-party-advisory",
"x_refsource_SREASON",
"x_transferred"
],
"url": "http://securityreason.com/securityalert/8118"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt"
},
{
"name": "57239",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/57239"
},
{
"name": "9450",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/9450"
},
{
"name": "20090818 Vtiger CRM 5.0.4 Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=125060676515670\u0026w=2"
},
{
"name": "36062",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/36062"
},
{
"name": "36309",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/36309"
},
{
"name": "ADV-2009-2319",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2009/2319"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2009-08-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple directory traversal vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the module parameter to graph.php; or the (2) module or (3) file parameter to include/Ajax/CommonAjax.php, reachable through modules/Campaigns/CampaignsAjax.php, modules/SalesOrder/SalesOrderAjax.php, modules/System/SystemAjax.php, modules/Products/ProductsAjax.php, modules/uploads/uploadsAjax.php, modules/Dashboard/DashboardAjax.php, modules/Potentials/PotentialsAjax.php, modules/Notes/NotesAjax.php, modules/Faq/FaqAjax.php, modules/Quotes/QuotesAjax.php, modules/Utilities/UtilitiesAjax.php, modules/Calendar/ActivityAjax.php, modules/Calendar/CalendarAjax.php, modules/PurchaseOrder/PurchaseOrderAjax.php, modules/HelpDesk/HelpDeskAjax.php, modules/Invoice/InvoiceAjax.php, modules/Accounts/AccountsAjax.php, modules/Reports/ReportsAjax.php, modules/Contacts/ContactsAjax.php, and modules/Portal/PortalAjax.php; and allow remote authenticated users to include and execute arbitrary local files via a .. (dot dot) in the step parameter in an Import action to the (4) Accounts, (5) Contacts, (6) HelpDesk, (7) Leads, (8) Potentials, (9) Products, or (10) Vendors module, reachable through index.php and related to modules/Import/index.php and multiple Import.php files."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-18T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.ush.it/2009/08/18/vtiger-crm-504-multiple-vulnerabilities/"
},
{
"name": "8118",
"tags": [
"third-party-advisory",
"x_refsource_SREASON"
],
"url": "http://securityreason.com/securityalert/8118"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt"
},
{
"name": "57239",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/57239"
},
{
"name": "9450",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/9450"
},
{
"name": "20090818 Vtiger CRM 5.0.4 Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://marc.info/?l=bugtraq\u0026m=125060676515670\u0026w=2"
},
{
"name": "36062",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/36062"
},
{
"name": "36309",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/36309"
},
{
"name": "ADV-2009-2319",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2009/2319"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2009-3249",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple directory traversal vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the module parameter to graph.php; or the (2) module or (3) file parameter to include/Ajax/CommonAjax.php, reachable through modules/Campaigns/CampaignsAjax.php, modules/SalesOrder/SalesOrderAjax.php, modules/System/SystemAjax.php, modules/Products/ProductsAjax.php, modules/uploads/uploadsAjax.php, modules/Dashboard/DashboardAjax.php, modules/Potentials/PotentialsAjax.php, modules/Notes/NotesAjax.php, modules/Faq/FaqAjax.php, modules/Quotes/QuotesAjax.php, modules/Utilities/UtilitiesAjax.php, modules/Calendar/ActivityAjax.php, modules/Calendar/CalendarAjax.php, modules/PurchaseOrder/PurchaseOrderAjax.php, modules/HelpDesk/HelpDeskAjax.php, modules/Invoice/InvoiceAjax.php, modules/Accounts/AccountsAjax.php, modules/Reports/ReportsAjax.php, modules/Contacts/ContactsAjax.php, and modules/Portal/PortalAjax.php; and allow remote authenticated users to include and execute arbitrary local files via a .. (dot dot) in the step parameter in an Import action to the (4) Accounts, (5) Contacts, (6) HelpDesk, (7) Leads, (8) Potentials, (9) Products, or (10) Vendors module, reachable through index.php and related to modules/Import/index.php and multiple Import.php files."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.ush.it/2009/08/18/vtiger-crm-504-multiple-vulnerabilities/",
"refsource": "MISC",
"url": "http://www.ush.it/2009/08/18/vtiger-crm-504-multiple-vulnerabilities/"
},
{
"name": "8118",
"refsource": "SREASON",
"url": "http://securityreason.com/securityalert/8118"
},
{
"name": "http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt",
"refsource": "MISC",
"url": "http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt"
},
{
"name": "57239",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/57239"
},
{
"name": "9450",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/9450"
},
{
"name": "20090818 Vtiger CRM 5.0.4 Multiple Vulnerabilities",
"refsource": "BUGTRAQ",
"url": "http://marc.info/?l=bugtraq\u0026m=125060676515670\u0026w=2"
},
{
"name": "36062",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/36062"
},
{
"name": "36309",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/36309"
},
{
"name": "ADV-2009-2319",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2009/2319"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2009-3249",
"datePublished": "2009-09-18T20:00:00",
"dateReserved": "2009-09-18T00:00:00",
"dateUpdated": "2024-08-07T06:22:23.988Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2005-3822 (GCVE-0-2005-3822)
Vulnerability from cvelistv5
Published
2005-11-26 02:00
Modified
2024-08-07 23:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) username in the login form or (2) record parameter, as demonstrated in the EditView action for the Contacts module.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/archive/1/417711/30/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://www.securityfocus.com/bid/15569 | vdb-entry, x_refsource_BID | |
| http://www.vupen.com/english/advisories/2005/2569 | vdb-entry, x_refsource_VUPEN | |
| http://securityreason.com/securityalert/203 | third-party-advisory, x_refsource_SREASON | |
| http://securitytracker.com/id?1015274 | vdb-entry, x_refsource_SECTRACK | |
| http://marc.info/?l=full-disclosure&m=113290708121951&w=2 | mailing-list, x_refsource_FULLDISC | |
| http://secunia.com/advisories/17693 | third-party-advisory, x_refsource_SECUNIA |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T23:24:36.334Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20051125 SEC Consult SA-20051125-0 :: More Vulnerabilities in vTiger CRM",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/417711/30/0/threaded"
},
{
"name": "15569",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/15569"
},
{
"name": "ADV-2005-2569",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2005/2569"
},
{
"name": "203",
"tags": [
"third-party-advisory",
"x_refsource_SREASON",
"x_transferred"
],
"url": "http://securityreason.com/securityalert/203"
},
{
"name": "1015274",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://securitytracker.com/id?1015274"
},
{
"name": "20051125 SEC Consult SA-20051125-0 :: More Vulnerabilities in vTiger CRM",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://marc.info/?l=full-disclosure\u0026m=113290708121951\u0026w=2"
},
{
"name": "17693",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/17693"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2005-11-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) username in the login form or (2) record parameter, as demonstrated in the EditView action for the Contacts module."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-19T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20051125 SEC Consult SA-20051125-0 :: More Vulnerabilities in vTiger CRM",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/417711/30/0/threaded"
},
{
"name": "15569",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/15569"
},
{
"name": "ADV-2005-2569",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2005/2569"
},
{
"name": "203",
"tags": [
"third-party-advisory",
"x_refsource_SREASON"
],
"url": "http://securityreason.com/securityalert/203"
},
{
"name": "1015274",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://securitytracker.com/id?1015274"
},
{
"name": "20051125 SEC Consult SA-20051125-0 :: More Vulnerabilities in vTiger CRM",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://marc.info/?l=full-disclosure\u0026m=113290708121951\u0026w=2"
},
{
"name": "17693",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/17693"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2005-3822",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) username in the login form or (2) record parameter, as demonstrated in the EditView action for the Contacts module."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20051125 SEC Consult SA-20051125-0 :: More Vulnerabilities in vTiger CRM",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/417711/30/0/threaded"
},
{
"name": "15569",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/15569"
},
{
"name": "ADV-2005-2569",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2005/2569"
},
{
"name": "203",
"refsource": "SREASON",
"url": "http://securityreason.com/securityalert/203"
},
{
"name": "1015274",
"refsource": "SECTRACK",
"url": "http://securitytracker.com/id?1015274"
},
{
"name": "20051125 SEC Consult SA-20051125-0 :: More Vulnerabilities in vTiger CRM",
"refsource": "FULLDISC",
"url": "http://marc.info/?l=full-disclosure\u0026m=113290708121951\u0026w=2"
},
{
"name": "17693",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/17693"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2005-3822",
"datePublished": "2005-11-26T02:00:00",
"dateReserved": "2005-11-26T00:00:00",
"dateUpdated": "2024-08-07T23:24:36.334Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2011-4680 (GCVE-0-2011-4680)
Vulnerability from cvelistv5
Published
2011-12-07 19:00
Modified
2024-09-17 02:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in the customer portal in vtiger CRM before 5.2.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| http://wiki.vtiger.com/index.php/Jan2011:ODUpdate | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T00:16:33.438Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://wiki.vtiger.com/index.php/Jan2011:ODUpdate"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in the customer portal in vtiger CRM before 5.2.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2011-12-07T19:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://wiki.vtiger.com/index.php/Jan2011:ODUpdate"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2011-4680",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in the customer portal in vtiger CRM before 5.2.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://wiki.vtiger.com/index.php/Jan2011:ODUpdate",
"refsource": "CONFIRM",
"url": "http://wiki.vtiger.com/index.php/Jan2011:ODUpdate"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2011-4680",
"datePublished": "2011-12-07T19:00:00Z",
"dateReserved": "2011-12-06T00:00:00Z",
"dateUpdated": "2024-09-17T02:32:53.070Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-3215 (GCVE-0-2013-3215)
Vulnerability from cvelistv5
Published
2020-01-29 17:21
Modified
2024-08-06 16:00
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
vtiger CRM 5.4.0 and earlier contain an Authentication Bypass Vulnerability due to improper authentication validation in the validateSession function.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/61559 | vdb-entry, x_refsource_BID | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/86163 | vdb-entry, x_refsource_XF |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:00:10.161Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "61559",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/61559"
},
{
"name": "86163",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86163"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-08-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "vtiger CRM 5.4.0 and earlier contain an Authentication Bypass Vulnerability due to improper authentication validation in the validateSession function."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-29T17:21:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "61559",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/61559"
},
{
"name": "86163",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86163"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-3215",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "vtiger CRM 5.4.0 and earlier contain an Authentication Bypass Vulnerability due to improper authentication validation in the validateSession function."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "61559",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/61559"
},
{
"name": "86163",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86163"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-3215",
"datePublished": "2020-01-29T17:21:01",
"dateReserved": "2013-04-20T00:00:00",
"dateUpdated": "2024-08-06T16:00:10.161Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-38335 (GCVE-0-2022-38335)
Vulnerability from cvelistv5
Published
2022-09-27 17:10
Modified
2025-05-21 14:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Vtiger CRM v7.4.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the e-mail template modules.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.vtiger.com/ | x_refsource_MISC | |
| https://code.vtiger.com/vtiger/vtigercrm | x_refsource_MISC | |
| https://github.com/sbaresearch/advisories/tree/public/2022/SBA-ADV-20220328-01_Vtiger_CRM_Stored_Cross-Site_Scripting | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:54:03.274Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.vtiger.com/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://code.vtiger.com/vtiger/vtigercrm"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sbaresearch/advisories/tree/public/2022/SBA-ADV-20220328-01_Vtiger_CRM_Stored_Cross-Site_Scripting"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-38335",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-21T14:55:27.900635Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T14:55:58.666Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vtiger CRM v7.4.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the e-mail template modules."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-27T17:10:22.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.vtiger.com/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://code.vtiger.com/vtiger/vtigercrm"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sbaresearch/advisories/tree/public/2022/SBA-ADV-20220328-01_Vtiger_CRM_Stored_Cross-Site_Scripting"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-38335",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vtiger CRM v7.4.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the e-mail template modules."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.vtiger.com/",
"refsource": "MISC",
"url": "https://www.vtiger.com/"
},
{
"name": "https://code.vtiger.com/vtiger/vtigercrm",
"refsource": "MISC",
"url": "https://code.vtiger.com/vtiger/vtigercrm"
},
{
"name": "https://github.com/sbaresearch/advisories/tree/public/2022/SBA-ADV-20220328-01_Vtiger_CRM_Stored_Cross-Site_Scripting",
"refsource": "MISC",
"url": "https://github.com/sbaresearch/advisories/tree/public/2022/SBA-ADV-20220328-01_Vtiger_CRM_Stored_Cross-Site_Scripting"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-38335",
"datePublished": "2022-09-27T17:10:22.000Z",
"dateReserved": "2022-08-15T00:00:00.000Z",
"dateUpdated": "2025-05-21T14:55:58.666Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46304 (GCVE-0-2023-46304)
Vulnerability from cvelistv5
Published
2024-04-30 00:00
Modified
2024-08-02 20:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
modules/Users/models/Module.php in Vtiger CRM 7.5.0 allows a remote authenticated attacker to run arbitrary PHP code because an unprotected endpoint allows them to write this code to the config.inc.php file (executed on every page load).
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "vtiger_crm",
"vendor": "vtiger",
"versions": [
{
"status": "affected",
"version": "*7.5.0"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-46304",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-30T14:46:31.688571Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:22:16.036Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:45:40.776Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.vtiger.com/"
},
{
"tags": [
"x_transferred"
],
"url": "https://code.vtiger.com/vtiger/vtigercrm/-/blob/master/modules/Users/models/Module.php"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/jselliott/CVE-2023-46304"
},
{
"tags": [
"x_transferred"
],
"url": "https://code.vtiger.com/vtiger/vtigercrm/-/commit/317f9ca88b6bbded11058f20a1d232717c360d43"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "modules/Users/models/Module.php in Vtiger CRM 7.5.0 allows a remote authenticated attacker to run arbitrary PHP code because an unprotected endpoint allows them to write this code to the config.inc.php file (executed on every page load)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-30T13:04:03.597574",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.vtiger.com/"
},
{
"url": "https://code.vtiger.com/vtiger/vtigercrm/-/blob/master/modules/Users/models/Module.php"
},
{
"url": "https://github.com/jselliott/CVE-2023-46304"
},
{
"url": "https://code.vtiger.com/vtiger/vtigercrm/-/commit/317f9ca88b6bbded11058f20a1d232717c360d43"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-46304",
"datePublished": "2024-04-30T00:00:00",
"dateReserved": "2023-10-22T00:00:00",
"dateUpdated": "2024-08-02T20:45:40.776Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2006-5289 (GCVE-0-2006-5289)
Vulnerability from cvelistv5
Published
2006-10-13 20:00
Modified
2024-08-07 19:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple PHP remote file inclusion vulnerabilities in Vtiger CRM 4.2 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the calpath parameter to (1) modules/Calendar/admin/update.php, (2) modules/Calendar/admin/scheme.php, or (3) modules/Calendar/calendar.php.
References
| ▼ | URL | Tags |
|---|---|---|
| http://advisories.echo.or.id/adv/adv54-theday-2006.txt | x_refsource_MISC | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/29416 | vdb-entry, x_refsource_XF | |
| http://www.securityfocus.com/bid/20435 | vdb-entry, x_refsource_BID | |
| http://securityreason.com/securityalert/1722 | third-party-advisory, x_refsource_SREASON | |
| https://www.exploit-db.com/exploits/2508 | exploit, x_refsource_EXPLOIT-DB | |
| http://www.securityfocus.com/archive/1/448092/100/0/threaded | mailing-list, x_refsource_BUGTRAQ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T19:48:28.676Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://advisories.echo.or.id/adv/adv54-theday-2006.txt"
},
{
"name": "vtiger-update-file-include(29416)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/29416"
},
{
"name": "20435",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/20435"
},
{
"name": "1722",
"tags": [
"third-party-advisory",
"x_refsource_SREASON",
"x_transferred"
],
"url": "http://securityreason.com/securityalert/1722"
},
{
"name": "2508",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/2508"
},
{
"name": "20061009 [ECHO_ADV_54$2006]vtiger CRM \u003c=4.2 (calpath) Multiple Remote File Inclusion Vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/448092/100/0/threaded"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2006-10-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple PHP remote file inclusion vulnerabilities in Vtiger CRM 4.2 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the calpath parameter to (1) modules/Calendar/admin/update.php, (2) modules/Calendar/admin/scheme.php, or (3) modules/Calendar/calendar.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-17T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://advisories.echo.or.id/adv/adv54-theday-2006.txt"
},
{
"name": "vtiger-update-file-include(29416)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/29416"
},
{
"name": "20435",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/20435"
},
{
"name": "1722",
"tags": [
"third-party-advisory",
"x_refsource_SREASON"
],
"url": "http://securityreason.com/securityalert/1722"
},
{
"name": "2508",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/2508"
},
{
"name": "20061009 [ECHO_ADV_54$2006]vtiger CRM \u003c=4.2 (calpath) Multiple Remote File Inclusion Vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/448092/100/0/threaded"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2006-5289",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple PHP remote file inclusion vulnerabilities in Vtiger CRM 4.2 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the calpath parameter to (1) modules/Calendar/admin/update.php, (2) modules/Calendar/admin/scheme.php, or (3) modules/Calendar/calendar.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://advisories.echo.or.id/adv/adv54-theday-2006.txt",
"refsource": "MISC",
"url": "http://advisories.echo.or.id/adv/adv54-theday-2006.txt"
},
{
"name": "vtiger-update-file-include(29416)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/29416"
},
{
"name": "20435",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/20435"
},
{
"name": "1722",
"refsource": "SREASON",
"url": "http://securityreason.com/securityalert/1722"
},
{
"name": "2508",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/2508"
},
{
"name": "20061009 [ECHO_ADV_54$2006]vtiger CRM \u003c=4.2 (calpath) Multiple Remote File Inclusion Vulnerability",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/448092/100/0/threaded"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2006-5289",
"datePublished": "2006-10-13T20:00:00",
"dateReserved": "2006-10-13T00:00:00",
"dateUpdated": "2024-08-07T19:48:28.676Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2010-11-26 20:00
Modified
2025-04-11 00:51
Severity ?
Summary
Incomplete blacklist vulnerability in config.template.php in vtiger CRM before 5.2.1 allows remote authenticated users to execute arbitrary code by using the draft save feature in the Compose Mail component to upload a file with a .phtml extension, and then accessing this file via a direct request to the file in the storage/ directory tree.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * | |
| vtiger | vtiger_crm | * | |
| vtiger | vtiger_crm | 1.0 | |
| vtiger | vtiger_crm | 2.0 | |
| vtiger | vtiger_crm | 2.0.1 | |
| vtiger | vtiger_crm | 2.1 | |
| vtiger | vtiger_crm | 3 | |
| vtiger | vtiger_crm | 3.0 | |
| vtiger | vtiger_crm | 3.0 | |
| vtiger | vtiger_crm | 3.2 | |
| vtiger | vtiger_crm | 4 | |
| vtiger | vtiger_crm | 4 | |
| vtiger | vtiger_crm | 4 | |
| vtiger | vtiger_crm | 4.0 | |
| vtiger | vtiger_crm | 4.0.1 | |
| vtiger | vtiger_crm | 4.2 | |
| vtiger | vtiger_crm | 4.2 | |
| vtiger | vtiger_crm | 4.2.4 | |
| vtiger | vtiger_crm | 5.0.0 | |
| vtiger | vtiger_crm | 5.0.2 | |
| vtiger | vtiger_crm | 5.0.3 | |
| vtiger | vtiger_crm | 5.0.4 | |
| vtiger | vtiger_crm | 5.0.4 | |
| vtiger | vtiger_crm | 5.1.0 | |
| vtiger | vtiger_crm | 5.1.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "11DDE2EA-CD9C-456F-ADBF-BDBF13569065",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "367F7FC6-7C3F-4CC3-8448-B9F8834CFDF7",
"versionEndIncluding": "5.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0E55C900-AAB5-46A2-B650-ED3A9DE52C94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FB4792CC-85E3-4317-A632-5A130E9C6F98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EAB300C8-ABE4-45BA-B260-570DD1E32F6E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BF0C897F-2066-43C3-AB44-EE66DB0C2B22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:3:*:*:*:*:*:*:*",
"matchCriteriaId": "458323BE-8583-435D-85B6-9F5F66F664A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D67FC276-11EB-4196-BDD9-84D69173EFAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:3.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "81A5C9AA-0C13-4DA4-845B-28CCE80D5A63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "288A4DD7-765B-4957-869F-98A836E4EF0B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4:*:*:*:*:*:*:*",
"matchCriteriaId": "5F5C4B4A-507F-4389-9094-96AE7D84DE93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4:beta:*:*:*:*:*:*",
"matchCriteriaId": "B6CDF5A9-E641-4FC3-8602-D47594524B20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "04C6B97E-408B-49B1-A1F3-C0D1107500D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "23F2DEEE-E081-4ED2-AB1A-9ED966474CDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "33644DF3-9777-405A-A106-1A6B4F1D6FB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D8B3F151-0398-42C7-B194-FF528696D1E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.2:*:validation:*:*:*:*:*",
"matchCriteriaId": "661FD257-5B33-4DFE-AC59-AB48D1D12712",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "57840915-C75E-4D62-A017-E60DD1396D34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "20038138-B797-40A5-A45B-9AB6C21033D0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "98DE0A56-EA74-4EA8-B941-F0DFF0F86F28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "FAF126B8-8BE9-4775-904B-5F6FD0FC97CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "84AE51A9-59AF-47F9-8AFC-5219505FD170",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.4:rc:*:*:*:*:*:*",
"matchCriteriaId": "773AE04C-2478-412F-B961-147E2079B2D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7983E217-C378-4D29-AB23-0A1F6FF483B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.1.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "16C7FC4B-4253-45C5-92A4-26705A1D98FF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incomplete blacklist vulnerability in config.template.php in vtiger CRM before 5.2.1 allows remote authenticated users to execute arbitrary code by using the draft save feature in the Compose Mail component to upload a file with a .phtml extension, and then accessing this file via a direct request to the file in the storage/ directory tree."
},
{
"lang": "es",
"value": "Vulnerabilidad de la lista negra incompleta en config.template.php en vtiger CRM antes de v5.2.1 permite a usuarios remotos autenticados ejecutar c\u00f3digo arbitrario mediante la caracter\u00edstica de guardado de borrador en el componente Compose Mail para cargar un archivo con extensi\u00f3n .phtml, y luego acceder a este archivo a trav\u00e9s de una solicitud directa al archivo en el almacenamiento / \u00e1rbol de directorios."
}
],
"evaluatorComment": "Per: http://cwe.mitre.org/data/definitions/184.html\r\n\r\n\u0027CWE-184: Incomplete Blacklist\u0027",
"id": "CVE-2010-3909",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2010-11-26T20:00:03.877",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/42246"
},
{
"source": "cve@mitre.org",
"url": "http://vtiger.com/blogs/2010/11/16/vtiger-crm-521-is-released/"
},
{
"source": "cve@mitre.org",
"url": "http://wiki.vtiger.com/index.php/Vtiger521:Release_Notes"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/514846/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/42246"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://vtiger.com/blogs/2010/11/16/vtiger-crm-521-is-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://wiki.vtiger.com/index.php/Vtiger521:Release_Notes"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/514846/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-11-26 20:00
Modified
2025-04-11 00:51
Severity ?
Summary
Multiple directory traversal vulnerabilities in the return_application_language function in include/utils/utils.php in vtiger CRM before 5.2.1 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the lang_crm parameter to phprint.php or (2) the current_language parameter in an Accounts Import action to graph.php.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * | |
| vtiger | vtiger_crm | 1.0 | |
| vtiger | vtiger_crm | 2.0 | |
| vtiger | vtiger_crm | 2.0.1 | |
| vtiger | vtiger_crm | 2.1 | |
| vtiger | vtiger_crm | 3 | |
| vtiger | vtiger_crm | 3.0 | |
| vtiger | vtiger_crm | 3.0 | |
| vtiger | vtiger_crm | 3.2 | |
| vtiger | vtiger_crm | 4 | |
| vtiger | vtiger_crm | 4 | |
| vtiger | vtiger_crm | 4 | |
| vtiger | vtiger_crm | 4.0 | |
| vtiger | vtiger_crm | 4.0.1 | |
| vtiger | vtiger_crm | 4.2 | |
| vtiger | vtiger_crm | 4.2 | |
| vtiger | vtiger_crm | 4.2.4 | |
| vtiger | vtiger_crm | 5.0.0 | |
| vtiger | vtiger_crm | 5.0.2 | |
| vtiger | vtiger_crm | 5.0.3 | |
| vtiger | vtiger_crm | 5.0.4 | |
| vtiger | vtiger_crm | 5.0.4 | |
| vtiger | vtiger_crm | 5.1.0 | |
| vtiger | vtiger_crm | 5.1.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "367F7FC6-7C3F-4CC3-8448-B9F8834CFDF7",
"versionEndIncluding": "5.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0E55C900-AAB5-46A2-B650-ED3A9DE52C94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FB4792CC-85E3-4317-A632-5A130E9C6F98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EAB300C8-ABE4-45BA-B260-570DD1E32F6E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BF0C897F-2066-43C3-AB44-EE66DB0C2B22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:3:*:*:*:*:*:*:*",
"matchCriteriaId": "458323BE-8583-435D-85B6-9F5F66F664A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D67FC276-11EB-4196-BDD9-84D69173EFAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:3.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "81A5C9AA-0C13-4DA4-845B-28CCE80D5A63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "288A4DD7-765B-4957-869F-98A836E4EF0B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4:*:*:*:*:*:*:*",
"matchCriteriaId": "5F5C4B4A-507F-4389-9094-96AE7D84DE93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4:beta:*:*:*:*:*:*",
"matchCriteriaId": "B6CDF5A9-E641-4FC3-8602-D47594524B20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "04C6B97E-408B-49B1-A1F3-C0D1107500D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "23F2DEEE-E081-4ED2-AB1A-9ED966474CDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "33644DF3-9777-405A-A106-1A6B4F1D6FB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D8B3F151-0398-42C7-B194-FF528696D1E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.2:*:validation:*:*:*:*:*",
"matchCriteriaId": "661FD257-5B33-4DFE-AC59-AB48D1D12712",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "57840915-C75E-4D62-A017-E60DD1396D34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "20038138-B797-40A5-A45B-9AB6C21033D0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "98DE0A56-EA74-4EA8-B941-F0DFF0F86F28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "FAF126B8-8BE9-4775-904B-5F6FD0FC97CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "84AE51A9-59AF-47F9-8AFC-5219505FD170",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.4:rc:*:*:*:*:*:*",
"matchCriteriaId": "773AE04C-2478-412F-B961-147E2079B2D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7983E217-C378-4D29-AB23-0A1F6FF483B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.1.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "16C7FC4B-4253-45C5-92A4-26705A1D98FF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple directory traversal vulnerabilities in the return_application_language function in include/utils/utils.php in vtiger CRM before 5.2.1 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the lang_crm parameter to phprint.php or (2) the current_language parameter in an Accounts Import action to graph.php."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de salto de directorio en la funci\u00f3n return_application_language en include/utils/utils.php en vtiger CRM anterior a v5.2.1 permite a atacantes remotos incluir y ejecutar archivos locales a trav\u00e9s de un .. (punto punto) en (1) el par\u00e1metro lang_crm a phprint.php o (2) el par\u00e1metro current_language en una acci\u00f3n Accounts Import a graph.php."
}
],
"id": "CVE-2010-3910",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2010-11-26T20:00:03.940",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/42246"
},
{
"source": "cve@mitre.org",
"url": "http://vtiger.com/blogs/2010/11/16/vtiger-crm-521-is-released/"
},
{
"source": "cve@mitre.org",
"url": "http://wiki.vtiger.com/index.php/Vtiger521:Release_Notes"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/514846/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/42246"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://vtiger.com/blogs/2010/11/16/vtiger-crm-521-is-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://wiki.vtiger.com/index.php/Vtiger521:Release_Notes"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/514846/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2005-11-26 02:03
Modified
2025-04-03 01:03
Severity ?
Summary
Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) username in the login form or (2) record parameter, as demonstrated in the EditView action for the Contacts module.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "136EE594-73FB-4218-921E-0F5BEEE9F23B",
"versionEndIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) username in the login form or (2) record parameter, as demonstrated in the EditView action for the Contacts module."
}
],
"id": "CVE-2005-3822",
"lastModified": "2025-04-03T01:03:51.193",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2005-11-26T02:03:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://marc.info/?l=full-disclosure\u0026m=113290708121951\u0026w=2"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/17693"
},
{
"source": "cve@mitre.org",
"url": "http://securityreason.com/securityalert/203"
},
{
"source": "cve@mitre.org",
"url": "http://securitytracker.com/id?1015274"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/417711/30/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/15569"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2005/2569"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=full-disclosure\u0026m=113290708121951\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/17693"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/203"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securitytracker.com/id?1015274"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/417711/30/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/15569"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2005/2569"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-08-16 17:15
Modified
2025-04-28 14:09
Severity ?
Summary
VTiger CRM <= 8.1.0 does not correctly check user privileges. A low-privileged user can interact directly with the "Migration" administrative module to disable arbitrary modules.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.shielder.com/advisories/vtiger-migration-bac/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "55C5E8CB-FCC4-4211-A9ED-1AFDE2F99280",
"versionEndIncluding": "8.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "VTiger CRM \u003c= 8.1.0 does not correctly check user privileges. A low-privileged user can interact directly with the \"Migration\" administrative module to disable arbitrary modules."
},
{
"lang": "es",
"value": "VTiger CRM \u0026lt;= 8.1.0 no verifica correctamente los privilegios de usuario. Un usuario con pocos privilegios puede interactuar directamente con el m\u00f3dulo administrativo \"Migraci\u00f3n\" para desactivar m\u00f3dulos arbitrarios."
}
],
"id": "CVE-2024-42995",
"lastModified": "2025-04-28T14:09:10.273",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.5,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-08-16T17:15:15.273",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.shielder.com/advisories/vtiger-migration-bac/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-09-03 14:12
Modified
2025-04-09 00:30
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to inject arbitrary web script or HTML via (1) the parenttab parameter in an index action to the Products module, as reachable through index.php; (2) the user_password parameter in an Authenticate action to the Users module, as reachable through index.php; or (3) the query_string parameter in a UnifiedSearch action to the Home module, as reachable through index.php.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | 5.0.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "84AE51A9-59AF-47F9-8AFC-5219505FD170",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to inject arbitrary web script or HTML via (1) the parenttab parameter in an index action to the Products module, as reachable through index.php; (2) the user_password parameter in an Authenticate action to the Users module, as reachable through index.php; or (3) the query_string parameter in a UnifiedSearch action to the Home module, as reachable through index.php."
},
{
"lang": "es",
"value": "Multiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en vtiger CRM 5.0.4 permiten a atacantes remotos inyectar web script o HTML a trav\u00e9s del par\u00e1metro (1) parenttab en una acci\u00f3n index del m\u00f3dulo Products, como se llega a trav\u00e9s de index.php; (2) el par\u00e1metro user_password en una acci\u00f3n Authenticate del m\u00f3dulo Users, como se llega a trav\u00e9s de index.php; o (3) el par\u00e1metro query_string en una acci\u00f3n UnifiedSearch del m\u00f3dulo Home, como se llega a trav\u00e9s de index.php."
}
],
"id": "CVE-2008-3101",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2008-09-03T14:12:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/31679"
},
{
"source": "cve@mitre.org",
"url": "http://securityreason.com/securityalert/4208"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.datensalat.eu/~fabian/cve/CVE-2008-3101-vtigerCRM.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/495885/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch"
],
"url": "http://www.securityfocus.com/bid/30951"
},
{
"source": "cve@mitre.org",
"url": "http://www.vtiger.de/vtiger-crm/downloads/patches.html?tx_abdownloads_pi1%5Baction%5D=getviewdetailsfordownload\u0026tx_abdownloads_pi1%5Buid%5D=128\u0026tx_abdownloads_pi1%5Bcategory_uid%5D=5\u0026cHash=e16be773a5"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2008/2471"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44792"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/31679"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/4208"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.datensalat.eu/~fabian/cve/CVE-2008-3101-vtigerCRM.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/495885/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "http://www.securityfocus.com/bid/30951"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vtiger.de/vtiger-crm/downloads/patches.html?tx_abdownloads_pi1%5Baction%5D=getviewdetailsfordownload\u0026tx_abdownloads_pi1%5Buid%5D=128\u0026tx_abdownloads_pi1%5Bcategory_uid%5D=5\u0026cHash=e16be773a5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/2471"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44792"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2007-07-06 19:30
Modified
2025-04-09 00:30
Severity ?
Summary
The SOAP webservice in vtiger CRM before 5.0.3 does not ensure that authenticated accounts are active, which allows remote authenticated users with inactive accounts to access and modify data, as demonstrated by the Thunderbird plugin.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9E8668A7-60BA-45AA-A159-26890ADB6A0A",
"versionEndIncluding": "5.0.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The SOAP webservice in vtiger CRM before 5.0.3 does not ensure that authenticated accounts are active, which allows remote authenticated users with inactive accounts to access and modify data, as demonstrated by the Thunderbird plugin."
},
{
"lang": "es",
"value": "El servicio web SOAP en vtiger CRM versiones anteriores a 5.0.3 no asegura que cuentas autenticadas est\u00e9n activas, lo cual permite a atacantes remotos con cuentas inactivas acceder y modificar datos, como se demuestra con el plugin de Thunderbird."
}
],
"id": "CVE-2007-3602",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2007-07-06T19:30:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://forums.vtiger.com/viewtopic.php?p=44233"
},
{
"source": "cve@mitre.org",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/10245"
},
{
"source": "cve@mitre.org",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
},
{
"source": "cve@mitre.org",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3084"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://forums.vtiger.com/viewtopic.php?p=44233"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/10245"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3084"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2007-07-06 19:30
Modified
2025-04-09 00:30
Severity ?
Summary
The report module in vtiger CRM before 5.0.3 does not properly apply security rules, which allows remote authenticated users to read arbitrary private module entries.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9E8668A7-60BA-45AA-A159-26890ADB6A0A",
"versionEndIncluding": "5.0.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The report module in vtiger CRM before 5.0.3 does not properly apply security rules, which allows remote authenticated users to read arbitrary private module entries."
},
{
"lang": "es",
"value": "El m\u00f3dulo informe en vtiger CRM versiones anteriores a 5.0.3 no aplica apropiadamente las reglas de seguridad, lo cual permite a usuarios remotos autenticados leer entradas de m\u00f3dulo privadas de su elecci\u00f3n."
}
],
"id": "CVE-2007-3617",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2007-07-06T19:30:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/45804"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
},
{
"source": "cve@mitre.org",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2692"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/45804"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2692"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-10-04 20:55
Modified
2025-04-11 00:51
Severity ?
Summary
SQL injection vulnerability in CalendarCommon.php in vTiger CRM 5.4.0 and possibly earlier allows remote authenticated users to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php. NOTE: this issue might be a duplicate of CVE-2011-4559.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://archives.neohapsis.com/archives/bugtraq/2013-09/0079.html | Third Party Advisory | |
| cve@mitre.org | http://osvdb.org/76138 | Broken Link | |
| cve@mitre.org | http://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%205.4.0/Core%20Product/ | Patch, Third Party Advisory | |
| cve@mitre.org | http://www.exploit-db.com/exploits/28409 | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.htbridge.com/advisory/HTB23168 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://archives.neohapsis.com/archives/bugtraq/2013-09/0079.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://osvdb.org/76138 | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | http://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%205.4.0/Core%20Product/ | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.exploit-db.com/exploits/28409 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.htbridge.com/advisory/HTB23168 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * | |
| vtiger | vtiger_crm | 1.0 | |
| vtiger | vtiger_crm | 2.0 | |
| vtiger | vtiger_crm | 2.0.1 | |
| vtiger | vtiger_crm | 2.1 | |
| vtiger | vtiger_crm | 3.0 | |
| vtiger | vtiger_crm | 3.0 | |
| vtiger | vtiger_crm | 3.2 | |
| vtiger | vtiger_crm | 4 | |
| vtiger | vtiger_crm | 4 | |
| vtiger | vtiger_crm | 4 | |
| vtiger | vtiger_crm | 4 | |
| vtiger | vtiger_crm | 4.0 | |
| vtiger | vtiger_crm | 4.0.1 | |
| vtiger | vtiger_crm | 4.2 | |
| vtiger | vtiger_crm | 4.2 | |
| vtiger | vtiger_crm | 4.2 | |
| vtiger | vtiger_crm | 4.2.4 | |
| vtiger | vtiger_crm | 5.0.0 | |
| vtiger | vtiger_crm | 5.0.2 | |
| vtiger | vtiger_crm | 5.0.3 | |
| vtiger | vtiger_crm | 5.0.4 | |
| vtiger | vtiger_crm | 5.0.4 | |
| vtiger | vtiger_crm | 5.1.0 | |
| vtiger | vtiger_crm | 5.1.0 | |
| vtiger | vtiger_crm | 5.2.0 | |
| vtiger | vtiger_crm | 5.2.1 | |
| vtiger | vtiger_crm | 5.3.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "438D7E04-6248-46B3-B357-2C2C9492B96F",
"versionEndIncluding": "5.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0E55C900-AAB5-46A2-B650-ED3A9DE52C94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FB4792CC-85E3-4317-A632-5A130E9C6F98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EAB300C8-ABE4-45BA-B260-570DD1E32F6E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BF0C897F-2066-43C3-AB44-EE66DB0C2B22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D67FC276-11EB-4196-BDD9-84D69173EFAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:3.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "81A5C9AA-0C13-4DA4-845B-28CCE80D5A63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "288A4DD7-765B-4957-869F-98A836E4EF0B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4:*:*:*:*:*:*:*",
"matchCriteriaId": "5F5C4B4A-507F-4389-9094-96AE7D84DE93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4:beta:*:*:*:*:*:*",
"matchCriteriaId": "B6CDF5A9-E641-4FC3-8602-D47594524B20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4:beta:*:it:*:*:*:*",
"matchCriteriaId": "83868C6E-8280-428D-9162-443FE263581F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "04C6B97E-408B-49B1-A1F3-C0D1107500D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "23F2DEEE-E081-4ED2-AB1A-9ED966474CDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "33644DF3-9777-405A-A106-1A6B4F1D6FB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D8B3F151-0398-42C7-B194-FF528696D1E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.2:*:*:*:validation:*:*:*",
"matchCriteriaId": "DA72C37D-EB9E-46BD-946C-B87DAC303CDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.2:patch1:*:*:*:*:*:*",
"matchCriteriaId": "F535C8AA-1422-412C-A1D5-6EE37A726181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "57840915-C75E-4D62-A017-E60DD1396D34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "20038138-B797-40A5-A45B-9AB6C21033D0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "98DE0A56-EA74-4EA8-B941-F0DFF0F86F28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "FAF126B8-8BE9-4775-904B-5F6FD0FC97CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "84AE51A9-59AF-47F9-8AFC-5219505FD170",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.4:rc:*:*:*:*:*:*",
"matchCriteriaId": "773AE04C-2478-412F-B961-147E2079B2D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7983E217-C378-4D29-AB23-0A1F6FF483B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.1.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "16C7FC4B-4253-45C5-92A4-26705A1D98FF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A6CC38DA-63AA-4C1B-9626-4C4641E87576",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FBC5BA70-9EB8-4118-AE90-9B450AECCDD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E0C75930-986A-44F0-997F-C7066C696551",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in CalendarCommon.php in vTiger CRM 5.4.0 and possibly earlier allows remote authenticated users to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php. NOTE: this issue might be a duplicate of CVE-2011-4559."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en CalendarCommon.php en vTiger CRM 5.4.0 y posiblemente anteriores versiones permite a atacantes remotos autenticados ejecutar comandos SQL arbitrarios a trav\u00e9s del par\u00e1metro onlyforuser e una acci\u00f3n index a index.php. NOTA: este problema podr\u00eda ser un duplicado del CVE-2011-4559."
}
],
"id": "CVE-2013-5091",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-10-04T20:55:03.857",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-09/0079.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://osvdb.org/76138"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "http://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%205.4.0/Core%20Product/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://www.exploit-db.com/exploits/28409"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.htbridge.com/advisory/HTB23168"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-09/0079.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://osvdb.org/76138"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "http://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%205.4.0/Core%20Product/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://www.exploit-db.com/exploits/28409"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.htbridge.com/advisory/HTB23168"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-08-04 19:41
Modified
2025-04-09 00:30
Severity ?
Summary
Vtiger CRM before 5.0.4 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read mail merge templates via a direct request to the wordtemplatedownload directory.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5BE467FF-870E-47A8-800D-C16FC260229C",
"versionEndIncluding": "5.0.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Vtiger CRM before 5.0.4 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read mail merge templates via a direct request to the wordtemplatedownload directory."
},
{
"lang": "es",
"value": "Vtiger CRM versiones anteriores a 5.0.4 almacena informaci\u00f3n sensible bajo la ra\u00edz web con insuficiente control de acceso, lo cual permite a atacantes remotos leer plantillas combinadas de mail a trav\u00e9s de una petici\u00f3n directa al directorio wordtemplatedownload."
}
],
"id": "CVE-2008-3458",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-08-04T19:41:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/28370"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://sourceforge.net/project/shownotes.php?release_id=567189"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/11811"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2107"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://wiki.vtiger.com/index.php/Vtiger_CRM_5.0.4_-_Release_Notes"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://www.osvdb.org/40218"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/27228"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/28370"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://sourceforge.net/project/shownotes.php?release_id=567189"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/11811"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2107"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://wiki.vtiger.com/index.php/Vtiger_CRM_5.0.4_-_Release_Notes"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://www.osvdb.org/40218"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/27228"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-04-30 13:15
Modified
2025-04-22 17:53
Severity ?
Summary
modules/Users/models/Module.php in Vtiger CRM 7.5.0 allows a remote authenticated attacker to run arbitrary PHP code because an unprotected endpoint allows them to write this code to the config.inc.php file (executed on every page load).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | 7.5.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:7.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7ED159B0-85DF-49E3-8C5E-E82F215A3E1C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "modules/Users/models/Module.php in Vtiger CRM 7.5.0 allows a remote authenticated attacker to run arbitrary PHP code because an unprotected endpoint allows them to write this code to the config.inc.php file (executed on every page load)."
},
{
"lang": "es",
"value": "module/Users/models/Module.php en Vtiger CRM 7.5.0 permite que un atacante remoto autenticado ejecute c\u00f3digo PHP arbitrario porque un endpoint desprotegido le permite escribir este c\u00f3digo en el archivo config.inc.php (ejecutado en cada carga de p\u00e1gina) ."
}
],
"id": "CVE-2023-46304",
"lastModified": "2025-04-22T17:53:58.067",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-04-30T13:15:46.763",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://code.vtiger.com/vtiger/vtigercrm/-/blob/master/modules/Users/models/Module.php"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://code.vtiger.com/vtiger/vtigercrm/-/commit/317f9ca88b6bbded11058f20a1d232717c360d43"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://github.com/jselliott/CVE-2023-46304"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.vtiger.com/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://code.vtiger.com/vtiger/vtigercrm/-/blob/master/modules/Users/models/Module.php"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://code.vtiger.com/vtiger/vtigercrm/-/commit/317f9ca88b6bbded11058f20a1d232717c360d43"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://github.com/jselliott/CVE-2023-46304"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://www.vtiger.com/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2006-10-13 20:07
Modified
2025-04-09 00:30
Severity ?
Summary
Multiple PHP remote file inclusion vulnerabilities in Vtiger CRM 4.2 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the calpath parameter to (1) modules/Calendar/admin/update.php, (2) modules/Calendar/admin/scheme.php, or (3) modules/Calendar/calendar.php.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | 4.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D8B3F151-0398-42C7-B194-FF528696D1E7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple PHP remote file inclusion vulnerabilities in Vtiger CRM 4.2 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the calpath parameter to (1) modules/Calendar/admin/update.php, (2) modules/Calendar/admin/scheme.php, or (3) modules/Calendar/calendar.php."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades PHP de inclusi\u00f3n remota de archivo en Vtiger CRM 4.2 y anteriores permite a un atacante remoto ejecutar c\u00f3digo PHP de su elecci\u00f3n a trav\u00e9s de una URL en el par\u00e1metro calpath en (1) modules/Calendar/admin/update.php, (2) modules/Calendar/admin/scheme.php, o (3) modules/Calendar/calendar.php."
}
],
"id": "CVE-2006-5289",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2006-10-13T20:07:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://advisories.echo.or.id/adv/adv54-theday-2006.txt"
},
{
"source": "cve@mitre.org",
"url": "http://securityreason.com/securityalert/1722"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/448092/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/20435"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/29416"
},
{
"source": "cve@mitre.org",
"url": "https://www.exploit-db.com/exploits/2508"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://advisories.echo.or.id/adv/adv54-theday-2006.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/1722"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/448092/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/20435"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/29416"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.exploit-db.com/exploits/2508"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-02-06 14:15
Modified
2024-11-21 02:34
Severity ?
Summary
Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.3.0 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in test/logo/.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cret@cert.org | http://b.fl7.de/2015/09/vtiger-crm-authenticated-rce-cve-2015-6000.html | Exploit, Third Party Advisory | |
| cret@cert.org | http://www.securityfocus.com//archive/1/536563/100/0/threaded | Exploit, Third Party Advisory, VDB Entry | |
| cret@cert.org | https://www.exploit-db.com/exploits/38345/ | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://b.fl7.de/2015/09/vtiger-crm-authenticated-rce-cve-2015-6000.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com//archive/1/536563/100/0/threaded | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/38345/ | Exploit, Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E8CAA671-943C-4E1A-B860-8F9FE8139EFC",
"versionEndIncluding": "6.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.3.0 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in test/logo/."
},
{
"lang": "es",
"value": "Una vulnerabilidad de carga de archivos sin restricciones en la clase Settings_Vtiger_CompanyDetailsSave_Action en el archivo modules/Settings/Vtiger/actions/CompanyDetailsSave.php en Vtiger CRM versiones 6.3.0 y anteriores, permite a usuarios autenticados remotos ejecutar c\u00f3digo arbitrario mediante la carga de un archivo con una extensi\u00f3n ejecutable, y luego acceder a \u00e9l por medio de un petici\u00f3n directa al archivo en test/logo/."
}
],
"id": "CVE-2015-6000",
"lastModified": "2024-11-21T02:34:16.470",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-02-06T14:15:10.597",
"references": [
{
"source": "cret@cert.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://b.fl7.de/2015/09/vtiger-crm-authenticated-rce-cve-2015-6000.html"
},
{
"source": "cret@cert.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com//archive/1/536563/100/0/threaded"
},
{
"source": "cret@cert.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/38345/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://b.fl7.de/2015/09/vtiger-crm-authenticated-rce-cve-2015-6000.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com//archive/1/536563/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/38345/"
}
],
"sourceIdentifier": "cret@cert.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-09-14 23:15
Modified
2024-11-21 08:14
Severity ?
Summary
SQL injection vulnerability in Vtiger CRM v.7.5.0 allows a remote authenticated attacker to escalate privileges via the getQueryColumnsList function in ReportRun.php.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://code.vtiger.com/vtiger/vtigercrm/-/blob/master/modules/Reports/ReportRun.php#L395 | Third Party Advisory | |
| cve@mitre.org | https://github.com/jselliott/CVE-2023-38891 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://code.vtiger.com/vtiger/vtigercrm/-/blob/master/modules/Reports/ReportRun.php#L395 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/jselliott/CVE-2023-38891 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | 7.5.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:7.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7ED159B0-85DF-49E3-8C5E-E82F215A3E1C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in Vtiger CRM v.7.5.0 allows a remote authenticated attacker to escalate privileges via the getQueryColumnsList function in ReportRun.php."
},
{
"lang": "es",
"value": "Una vulnerabilidad de inyecci\u00f3n SQL en Vtiger CRM v.7.5.0 permite a un atacante remoto autenticado escalar privilegios a trav\u00e9s de la funci\u00f3n getQueryColumnsList en ReportRun.php."
}
],
"id": "CVE-2023-38891",
"lastModified": "2024-11-21T08:14:23.810",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-09-14T23:15:07.587",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://code.vtiger.com/vtiger/vtigercrm/-/blob/master/modules/Reports/ReportRun.php#L395"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/jselliott/CVE-2023-38891"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://code.vtiger.com/vtiger/vtigercrm/-/blob/master/modules/Reports/ReportRun.php#L395"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/jselliott/CVE-2023-38891"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-11-28 21:55
Modified
2025-04-11 00:51
Severity ?
Summary
SQL injection vulnerability in the Calendar module in vTiger CRM 5.2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * | |
| vtiger | vtiger_crm | 1.0 | |
| vtiger | vtiger_crm | 2.0 | |
| vtiger | vtiger_crm | 2.0.1 | |
| vtiger | vtiger_crm | 2.1 | |
| vtiger | vtiger_crm | 3.0 | |
| vtiger | vtiger_crm | 3.0 | |
| vtiger | vtiger_crm | 3.2 | |
| vtiger | vtiger_crm | 4.0 | |
| vtiger | vtiger_crm | 4.0.1 | |
| vtiger | vtiger_crm | 4.2 | |
| vtiger | vtiger_crm | 4.2 | |
| vtiger | vtiger_crm | 4.2.4 | |
| vtiger | vtiger_crm | 5.0.2 | |
| vtiger | vtiger_crm | 5.0.3 | |
| vtiger | vtiger_crm | 5.0.4 | |
| vtiger | vtiger_crm | 5.0.4 | |
| vtiger | vtiger_crm | 5.1.0 | |
| vtiger | vtiger_crm | 5.1.0 | |
| vtiger | vtiger_crm | 5.2.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "86EA5190-ADF3-4A18-9344-D335BF31CC44",
"versionEndIncluding": "5.2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0E55C900-AAB5-46A2-B650-ED3A9DE52C94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FB4792CC-85E3-4317-A632-5A130E9C6F98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EAB300C8-ABE4-45BA-B260-570DD1E32F6E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BF0C897F-2066-43C3-AB44-EE66DB0C2B22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D67FC276-11EB-4196-BDD9-84D69173EFAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:3.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "81A5C9AA-0C13-4DA4-845B-28CCE80D5A63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "288A4DD7-765B-4957-869F-98A836E4EF0B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "23F2DEEE-E081-4ED2-AB1A-9ED966474CDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "33644DF3-9777-405A-A106-1A6B4F1D6FB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D8B3F151-0398-42C7-B194-FF528696D1E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.2:*:validation:*:*:*:*:*",
"matchCriteriaId": "661FD257-5B33-4DFE-AC59-AB48D1D12712",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "57840915-C75E-4D62-A017-E60DD1396D34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "98DE0A56-EA74-4EA8-B941-F0DFF0F86F28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "FAF126B8-8BE9-4775-904B-5F6FD0FC97CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "84AE51A9-59AF-47F9-8AFC-5219505FD170",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.4:rc:*:*:*:*:*:*",
"matchCriteriaId": "773AE04C-2478-412F-B961-147E2079B2D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7983E217-C378-4D29-AB23-0A1F6FF483B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.1.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "16C7FC4B-4253-45C5-92A4-26705A1D98FF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A6CC38DA-63AA-4C1B-9626-4C4641E87576",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in the Calendar module in vTiger CRM 5.2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en el m\u00f3dulo de calendario en vTiger CRM v5.2.1 y anteriores permite a atacantes remotos ejecutar comandos SQL a trav\u00e9s del par\u00e1metro onlyforuser en una acci\u00f3n \u00edndice a index.php."
}
],
"id": "CVE-2011-4559",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-11-28T21:55:07.997",
"references": [
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/76138"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2011/Oct/224"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/520006/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/49948"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://yehg.net/lab/pr0js/advisories/%5BvTiger_5.2.1%5D_blind_sqlin"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/70344"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/76138"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2011/Oct/224"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/520006/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/49948"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://yehg.net/lab/pr0js/advisories/%5BvTiger_5.2.1%5D_blind_sqlin"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/70344"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2007-07-06 19:30
Modified
2025-04-09 00:30
Severity ?
Summary
vtiger CRM before 5.0.3 allows remote authenticated users to import and export the information for a contact even when they only have the View permission.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9E8668A7-60BA-45AA-A159-26890ADB6A0A",
"versionEndIncluding": "5.0.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "vtiger CRM before 5.0.3 allows remote authenticated users to import and export the information for a contact even when they only have the View permission."
},
{
"lang": "es",
"value": "vtiger CRM versiones anteriores a 5.0.3 permite a usuarios remotos autenticados importar y exportar la informaci\u00f3n de un contacto incluso cuando solamente disponen de permiso Ver."
}
],
"id": "CVE-2007-3599",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 8.5,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 9.2,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2007-07-06T19:30:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/45781"
},
{
"source": "cve@mitre.org",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2968"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/45781"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2968"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-02-07 15:15
Modified
2024-11-21 01:53
Severity ?
Summary
vTiger CRM 5.3 and 5.4: 'files' Upload Folder Arbitrary PHP Code Execution Vulnerability
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cret@cert.org | http://www.exploit-db.com/exploits/29319 | Exploit, Third Party Advisory, VDB Entry | |
| cret@cert.org | http://www.securityfocus.com/bid/63454 | Third Party Advisory, VDB Entry | |
| cret@cert.org | https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-foss-disclosures-part-one | Third Party Advisory | |
| cret@cert.org | https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.exploit-db.com/exploits/29319 | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/63454 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-foss-disclosures-part-one | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | 5.3.0 | |
| vtiger | vtiger_crm | 5.4.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.3.0:-:*:*:*:*:*:*",
"matchCriteriaId": "B4544E4F-856A-463D-8DAC-D93263AFF687",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.4.0:-:*:*:*:*:*:*",
"matchCriteriaId": "CA25F187-AA8A-447E-A78C-B98C0545EEF4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "vTiger CRM 5.3 and 5.4: \u0027files\u0027 Upload Folder Arbitrary PHP Code Execution Vulnerability"
},
{
"lang": "es",
"value": "vTiger CRM versiones 5.3 y 5.4: Vulnerabilidad de Ejecuci\u00f3n de C\u00f3digo PHP Arbitraria en la Carpeta de Carga \"files\"."
}
],
"id": "CVE-2013-3591",
"lastModified": "2024-11-21T01:53:56.820",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-02-07T15:15:10.383",
"references": [
{
"source": "cret@cert.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.exploit-db.com/exploits/29319"
},
{
"source": "cret@cert.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/63454"
},
{
"source": "cret@cert.org",
"tags": [
"Third Party Advisory"
],
"url": "https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-foss-disclosures-part-one"
},
{
"source": "cret@cert.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.exploit-db.com/exploits/29319"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/63454"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-foss-disclosures-part-one"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"
}
],
"sourceIdentifier": "cret@cert.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-12-07 19:55
Modified
2025-04-11 00:51
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in the customer portal in vtiger CRM before 5.2.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://wiki.vtiger.com/index.php/Jan2011:ODUpdate | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://wiki.vtiger.com/index.php/Jan2011:ODUpdate | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * | |
| vtiger | vtiger_crm | 1.0 | |
| vtiger | vtiger_crm | 2.0 | |
| vtiger | vtiger_crm | 2.0.1 | |
| vtiger | vtiger_crm | 2.1 | |
| vtiger | vtiger_crm | 3 | |
| vtiger | vtiger_crm | 3.0 | |
| vtiger | vtiger_crm | 3.0 | |
| vtiger | vtiger_crm | 3.2 | |
| vtiger | vtiger_crm | 4 | |
| vtiger | vtiger_crm | 4 | |
| vtiger | vtiger_crm | 4 | |
| vtiger | vtiger_crm | 4 | |
| vtiger | vtiger_crm | 4.0 | |
| vtiger | vtiger_crm | 4.0.1 | |
| vtiger | vtiger_crm | 4.2 | |
| vtiger | vtiger_crm | 4.2 | |
| vtiger | vtiger_crm | 4.2 | |
| vtiger | vtiger_crm | 4.2.4 | |
| vtiger | vtiger_crm | 5.0.0 | |
| vtiger | vtiger_crm | 5.0.2 | |
| vtiger | vtiger_crm | 5.0.3 | |
| vtiger | vtiger_crm | 5.0.4 | |
| vtiger | vtiger_crm | 5.0.4 | |
| vtiger | vtiger_crm | 5.1.0 | |
| vtiger | vtiger_crm | 5.2.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "29C2C106-F074-445B-9C3C-B28252EE36D6",
"versionEndIncluding": "5.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0E55C900-AAB5-46A2-B650-ED3A9DE52C94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FB4792CC-85E3-4317-A632-5A130E9C6F98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EAB300C8-ABE4-45BA-B260-570DD1E32F6E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BF0C897F-2066-43C3-AB44-EE66DB0C2B22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:3:*:*:*:*:*:*:*",
"matchCriteriaId": "458323BE-8583-435D-85B6-9F5F66F664A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D67FC276-11EB-4196-BDD9-84D69173EFAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:3.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "81A5C9AA-0C13-4DA4-845B-28CCE80D5A63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "288A4DD7-765B-4957-869F-98A836E4EF0B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4:*:*:*:*:*:*:*",
"matchCriteriaId": "5F5C4B4A-507F-4389-9094-96AE7D84DE93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4:beta:*:*:*:*:*:*",
"matchCriteriaId": "B6CDF5A9-E641-4FC3-8602-D47594524B20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4:beta:*:it:*:*:*:*",
"matchCriteriaId": "83868C6E-8280-428D-9162-443FE263581F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "04C6B97E-408B-49B1-A1F3-C0D1107500D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "23F2DEEE-E081-4ED2-AB1A-9ED966474CDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "33644DF3-9777-405A-A106-1A6B4F1D6FB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D8B3F151-0398-42C7-B194-FF528696D1E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.2:*:validation:*:*:*:*:*",
"matchCriteriaId": "661FD257-5B33-4DFE-AC59-AB48D1D12712",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.2:patch1:*:*:*:*:*:*",
"matchCriteriaId": "F535C8AA-1422-412C-A1D5-6EE37A726181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "57840915-C75E-4D62-A017-E60DD1396D34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "20038138-B797-40A5-A45B-9AB6C21033D0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "98DE0A56-EA74-4EA8-B941-F0DFF0F86F28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "FAF126B8-8BE9-4775-904B-5F6FD0FC97CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "84AE51A9-59AF-47F9-8AFC-5219505FD170",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.4:rc:*:*:*:*:*:*",
"matchCriteriaId": "773AE04C-2478-412F-B961-147E2079B2D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.1.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "16C7FC4B-4253-45C5-92A4-26705A1D98FF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FBC5BA70-9EB8-4118-AE90-9B450AECCDD2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in the customer portal in vtiger CRM before 5.2.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de ejecuci\u00f3n de secuencias de comandos en sitios cruzados (XSS) en el portal del cliente en vtiger CRM antes de v5.2.0, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elecci\u00f3n a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2011-4680",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2011-12-07T19:55:02.470",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://wiki.vtiger.com/index.php/Jan2011:ODUpdate"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://wiki.vtiger.com/index.php/Jan2011:ODUpdate"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-01-28 21:15
Modified
2024-11-21 01:53
Severity ?
Summary
vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in 'vtigerolservice.php'.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.exploit-db.com/exploits/30787 | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | http://www.securityfocus.com/bid/61558 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://exchange.xforce.ibmcloud.com/vulnerabilities/86164 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.exploit-db.com/exploits/30787 | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/61558 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://exchange.xforce.ibmcloud.com/vulnerabilities/86164 | Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "438D7E04-6248-46B3-B357-2C2C9492B96F",
"versionEndIncluding": "5.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in \u0027vtigerolservice.php\u0027."
},
{
"lang": "es",
"value": "vtiger CRM versiones 5.4.0 y anteriores, contiene una vulnerabilidad de inyecci\u00f3n de c\u00f3digo PHP en el archivo \"vtigerolservice.php\"."
}
],
"id": "CVE-2013-3214",
"lastModified": "2024-11-21T01:53:11.690",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-01-28T21:15:11.733",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.exploit-db.com/exploits/30787"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/61558"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86164"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.exploit-db.com/exploits/30787"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/61558"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86164"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-08-29 18:15
Modified
2024-09-03 18:33
Severity ?
9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
7.4 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
7.4 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
Summary
A reflected cross-site scripting (XSS) vulnerability in the viewname parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://vtiger.com | Product | |
| cve@mitre.org | https://packetstormsecurity.com/files/180462/vTiger-CRM-7.4.0-Cross-Site-Scripting.html | Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | 7.4.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:7.4.0:-:*:*:*:*:*:*",
"matchCriteriaId": "3929CDEE-B429-4C81-B70A-1AC975979606",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A reflected cross-site scripting (XSS) vulnerability in the viewname parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user\u0027s browser via injecting a crafted payload."
},
{
"lang": "es",
"value": "Una vulnerabilidad de Cross Site Scripting (XSS) reflejado en el par\u00e1metro viewname de la p\u00e1gina de \u00edndice de vTiger CRM 7.4.0 permite a los atacantes ejecutar c\u00f3digo arbitrario en el contexto del navegador de un usuario mediante la inyecci\u00f3n de un payload especialmente manipulado."
}
],
"id": "CVE-2024-44779",
"lastModified": "2024-09-03T18:33:51.297",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.0,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-08-29T18:15:14.730",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "http://vtiger.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://packetstormsecurity.com/files/180462/vTiger-CRM-7.4.0-Cross-Site-Scripting.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-02-14 19:55
Modified
2025-04-11 00:51
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in vTiger CRM 5.4.0 allows remote attackers to inject arbitrary web script or HTML via the (1) return_url parameter to modules\com_vtiger_workflow\savetemplate.php, or unspecified vectors to (2) deletetask.php, (3) edittask.php, (4) savetask.php, or (5) saveworkflow.php.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | 5.4.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9C606815-FD44-4528-9CCD-1CCA8B59F145",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in vTiger CRM 5.4.0 allows remote attackers to inject arbitrary web script or HTML via the (1) return_url parameter to modules\\com_vtiger_workflow\\savetemplate.php, or unspecified vectors to (2) deletetask.php, (3) edittask.php, (4) savetask.php, or (5) saveworkflow.php."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en vTiger CRM 5.4.0 permite a atacantes remotos inyectar script Web o HTML arbitrarios a trav\u00e9s del (1) par\u00e1metro return_url hacia modules\\com_vtiger_workflow\\savetemplate.php, o vectores no especificados hacia (2) deletetask.php, (3) edittask.php, (4) savetask.php, o (5) saveworkflow.php."
}
],
"id": "CVE-2013-7326",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-02-14T19:55:26.717",
"references": [
{
"source": "cve@mitre.org",
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-12/0052.html"
},
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/100897"
},
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/124402"
},
{
"source": "cve@mitre.org",
"tags": [
"URL Repurposed"
],
"url": "http://www.enkomio.com/Advisory/SOJOBO-ADV-13-05"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/64236"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89662"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-12/0052.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/100897"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/124402"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"URL Repurposed"
],
"url": "http://www.enkomio.com/Advisory/SOJOBO-ADV-13-05"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/64236"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89662"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2005-11-26 02:03
Modified
2025-04-03 01:03
Severity ?
Summary
Multiple directory traversal vulnerabilities in index.php in vTiger CRM 4.2 and earlier allow remote attackers to read or include arbitrary files, an ultimately execute arbitrary PHP code, via .. (dot dot) and null byte ("%00") sequences in the (1) module parameter and (2) action parameter in the Leads module, as also demonstrated by injecting PHP code into log messages and accessing the log file.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "136EE594-73FB-4218-921E-0F5BEEE9F23B",
"versionEndIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple directory traversal vulnerabilities in index.php in vTiger CRM 4.2 and earlier allow remote attackers to read or include arbitrary files, an ultimately execute arbitrary PHP code, via .. (dot dot) and null byte (\"%00\") sequences in the (1) module parameter and (2) action parameter in the Leads module, as also demonstrated by injecting PHP code into log messages and accessing the log file."
}
],
"id": "CVE-2005-3820",
"lastModified": "2025-04-03T01:03:51.193",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2005-11-26T02:03:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://marc.info/?l=full-disclosure\u0026m=113290708121951\u0026w=2"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/17693"
},
{
"source": "cve@mitre.org",
"url": "http://securitytracker.com/id?1015271"
},
{
"source": "cve@mitre.org",
"url": "http://securitytracker.com/id?1015274"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.hardened-php.net/advisory_232005.105.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/417711/30/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/417730/30/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/15562"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/15569"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2005/2569"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=full-disclosure\u0026m=113290708121951\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/17693"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securitytracker.com/id?1015271"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securitytracker.com/id?1015274"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.hardened-php.net/advisory_232005.105.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/417711/30/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/417730/30/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/15562"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/15569"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2005/2569"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-01-20 01:15
Modified
2024-11-21 05:09
Severity ?
Summary
Reflected XSS in Vtiger CRM v7.2.0 in vtigercrm/index.php? through the view parameter can result in an attacker performing malicious actions to users who open a maliciously crafted link or third-party web page.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://emreovunc.com/blog/en/vtiger_crm_xss_03.png | Third Party Advisory | |
| cve@mitre.org | https://github.com/EmreOvunc/Vtiger-CRM-Vulnerabilities/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://emreovunc.com/blog/en/vtiger_crm_xss_03.png | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/EmreOvunc/Vtiger-CRM-Vulnerabilities/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | 7.2.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:7.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "67080A37-5696-44F6-ABEC-8F1F6D646E95",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Reflected XSS in Vtiger CRM v7.2.0 in vtigercrm/index.php? through the view parameter can result in an attacker performing malicious actions to users who open a maliciously crafted link or third-party web page."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo XSS reflejado en Vtiger CRM versi\u00f3n v7.2.0, en el archivo vtigercrm/index.php?\u0026#xa0;mediante el par\u00e1metro view puede resultar en que un atacante lleve a cabo acciones maliciosas para usuarios que abren un v\u00ednculo dise\u00f1ado malicioso o una p\u00e1gina web de terceros"
}
],
"id": "CVE-2020-19362",
"lastModified": "2024-11-21T05:09:09.227",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-01-20T01:15:13.333",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://emreovunc.com/blog/en/vtiger_crm_xss_03.png"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/EmreOvunc/Vtiger-CRM-Vulnerabilities/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://emreovunc.com/blog/en/vtiger_crm_xss_03.png"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/EmreOvunc/Vtiger-CRM-Vulnerabilities/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2006-09-06 22:04
Modified
2025-04-03 01:03
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM 4.2.4, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) description parameter in unspecified modules or the (2) solution parameter in the HelpDesk module.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | 4.2 | |
| vtiger | vtiger_crm | 4.2.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D8B3F151-0398-42C7-B194-FF528696D1E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "57840915-C75E-4D62-A017-E60DD1396D34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM 4.2.4, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) description parameter in unspecified modules or the (2) solution parameter in the HelpDesk module."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en vtiger CRM 4.2.4, y posiblemente anteriores, permitem a un atacante remoto inyectar secuencias de comandos web o HTML a trav\u00e9s del (1) par\u00e1metro description en modulos no especificados o el (2) par\u00e1metro solution en el modulo HelpDesk."
}
],
"id": "CVE-2006-4587",
"lastModified": "2025-04-03T01:03:51.193",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2006-09-06T22:04:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/21728"
},
{
"source": "cve@mitre.org",
"url": "http://www.osvdb.org/28460"
},
{
"source": "cve@mitre.org",
"url": "http://www.osvdb.org/28461"
},
{
"source": "cve@mitre.org",
"url": "http://www.security-net.biz/adv/D3906a.txt"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/19829"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2006/3444"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/21728"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/28460"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/28461"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.security-net.biz/adv/D3906a.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/19829"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2006/3444"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-11-21 20:15
Modified
2024-11-21 04:34
Severity ?
Summary
In Vtiger 7.x before 7.2.0, the My Preferences saving functionality allows a user without administrative privileges to change his own role by adding roleid=H2 to a POST request.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-April/037964.html | Patch, Vendor Advisory | |
| cve@mitre.org | https://code.vtiger.com/vtiger/vtigercrm/issues/1126 | Exploit, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-April/037964.html | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://code.vtiger.com/vtiger/vtigercrm/issues/1126 | Exploit, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6FD82881-2C4C-4C05-8115-308391F3E80B",
"versionEndExcluding": "7.2.0",
"versionStartIncluding": "7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Vtiger 7.x before 7.2.0, the My Preferences saving functionality allows a user without administrative privileges to change his own role by adding roleid=H2 to a POST request."
},
{
"lang": "es",
"value": "En Vtiger versiones 7.x anteriores a 7.2.0, la funcionalidad de guardado en My Preferences permite a un usuario sin privilegios administrativos cambiar su propio rol agregando roleid=H2 a una petici\u00f3n POST."
}
],
"id": "CVE-2019-19202",
"lastModified": "2024-11-21T04:34:19.083",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-21T20:15:15.833",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-April/037964.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://code.vtiger.com/vtiger/vtigercrm/issues/1126"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-April/037964.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://code.vtiger.com/vtiger/vtigercrm/issues/1126"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-276"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-11-26 20:00
Modified
2025-04-11 00:51
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM before 5.2.1 allow remote attackers to inject arbitrary web script or HTML via (1) the username (aka default_user_name) field or (2) the password field in a Users Login action to index.php, or (3) the label parameter in a Settings GetFieldInfo action to index.php, related to modules/Settings/GetFieldInfo.php.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * | |
| vtiger | vtiger_crm | 1.0 | |
| vtiger | vtiger_crm | 2.0 | |
| vtiger | vtiger_crm | 2.0.1 | |
| vtiger | vtiger_crm | 2.1 | |
| vtiger | vtiger_crm | 3 | |
| vtiger | vtiger_crm | 3.0 | |
| vtiger | vtiger_crm | 3.0 | |
| vtiger | vtiger_crm | 3.2 | |
| vtiger | vtiger_crm | 4 | |
| vtiger | vtiger_crm | 4 | |
| vtiger | vtiger_crm | 4 | |
| vtiger | vtiger_crm | 4.0 | |
| vtiger | vtiger_crm | 4.0.1 | |
| vtiger | vtiger_crm | 4.2 | |
| vtiger | vtiger_crm | 4.2 | |
| vtiger | vtiger_crm | 4.2.4 | |
| vtiger | vtiger_crm | 5.0.0 | |
| vtiger | vtiger_crm | 5.0.2 | |
| vtiger | vtiger_crm | 5.0.3 | |
| vtiger | vtiger_crm | 5.0.4 | |
| vtiger | vtiger_crm | 5.0.4 | |
| vtiger | vtiger_crm | 5.1.0 | |
| vtiger | vtiger_crm | 5.1.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "367F7FC6-7C3F-4CC3-8448-B9F8834CFDF7",
"versionEndIncluding": "5.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0E55C900-AAB5-46A2-B650-ED3A9DE52C94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FB4792CC-85E3-4317-A632-5A130E9C6F98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EAB300C8-ABE4-45BA-B260-570DD1E32F6E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BF0C897F-2066-43C3-AB44-EE66DB0C2B22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:3:*:*:*:*:*:*:*",
"matchCriteriaId": "458323BE-8583-435D-85B6-9F5F66F664A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D67FC276-11EB-4196-BDD9-84D69173EFAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:3.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "81A5C9AA-0C13-4DA4-845B-28CCE80D5A63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "288A4DD7-765B-4957-869F-98A836E4EF0B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4:*:*:*:*:*:*:*",
"matchCriteriaId": "5F5C4B4A-507F-4389-9094-96AE7D84DE93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4:beta:*:*:*:*:*:*",
"matchCriteriaId": "B6CDF5A9-E641-4FC3-8602-D47594524B20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "04C6B97E-408B-49B1-A1F3-C0D1107500D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "23F2DEEE-E081-4ED2-AB1A-9ED966474CDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "33644DF3-9777-405A-A106-1A6B4F1D6FB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D8B3F151-0398-42C7-B194-FF528696D1E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.2:*:validation:*:*:*:*:*",
"matchCriteriaId": "661FD257-5B33-4DFE-AC59-AB48D1D12712",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "57840915-C75E-4D62-A017-E60DD1396D34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "20038138-B797-40A5-A45B-9AB6C21033D0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "98DE0A56-EA74-4EA8-B941-F0DFF0F86F28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "FAF126B8-8BE9-4775-904B-5F6FD0FC97CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "84AE51A9-59AF-47F9-8AFC-5219505FD170",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.4:rc:*:*:*:*:*:*",
"matchCriteriaId": "773AE04C-2478-412F-B961-147E2079B2D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7983E217-C378-4D29-AB23-0A1F6FF483B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.1.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "16C7FC4B-4253-45C5-92A4-26705A1D98FF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM before 5.2.1 allow remote attackers to inject arbitrary web script or HTML via (1) the username (aka default_user_name) field or (2) the password field in a Users Login action to index.php, or (3) the label parameter in a Settings GetFieldInfo action to index.php, related to modules/Settings/GetFieldInfo.php."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de ejecuci\u00f3n de secuencias de comandos en sitios cruzados en vtiger CRM anterior a v5.2.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s del campo (1) nombre de usuario (tambi\u00e9n conocido como default_user_name) o (2) el campo contrase\u00f1a en una acci\u00f3n User Login a index.php, o (3) el par\u00e1metro etiqueta en una acci\u00f3n Settings GetFieldInfo a index.php, reaccionado con modules/Settings/GetFieldInfo.php."
}
],
"id": "CVE-2010-3911",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2010-11-26T20:00:03.970",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/42246"
},
{
"source": "cve@mitre.org",
"url": "http://vtiger.com/blogs/2010/11/16/vtiger-crm-521-is-released/"
},
{
"source": "cve@mitre.org",
"url": "http://wiki.vtiger.com/index.php/Vtiger521:Release_Notes"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/514846/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/42246"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://vtiger.com/blogs/2010/11/16/vtiger-crm-521-is-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://wiki.vtiger.com/index.php/Vtiger521:Release_Notes"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/514846/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-08-01 02:59
Modified
2025-04-12 10:46
Severity ?
Summary
modules/Users/actions/Save.php in Vtiger CRM 6.4.0 and earlier does not properly restrict user-save actions, which allows remote authenticated users to create or modify user accounts via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FD6FED22-B0C8-4534-BE5E-E45D41845429",
"versionEndIncluding": "6.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "modules/Users/actions/Save.php in Vtiger CRM 6.4.0 and earlier does not properly restrict user-save actions, which allows remote authenticated users to create or modify user accounts via unspecified vectors."
},
{
"lang": "es",
"value": "modules/Users/actions/Save.php en Vtiger CRM 6.4.0 y versiones anteriores no restringe adecuadamente acciones user-save, lo que permite a usuarios remotos autenticados crear o modificar cuentas de usuarios a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2016-4834",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-08-01T02:59:14.620",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "http://code.vtiger.com/vtiger/vtigercrm/commit/7cdf9941197b4aa58114eafce3ce88fb418eb68c"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://jvn.jp/en/jp/JVN01956993/index.html"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2016-000126"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/92076"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1036485"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "http://code.vtiger.com/vtiger/vtigercrm/commit/7cdf9941197b4aa58114eafce3ce88fb418eb68c"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://jvn.jp/en/jp/JVN01956993/index.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2016-000126"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/92076"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1036485"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-05-24 18:29
Modified
2024-11-21 02:44
Severity ?
Summary
modules/Calendar/Activity.php in Vtiger CRM 6.5.0 allows SQL injection via the contactidlist parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://blog.ripstech.com/2016/vtiger-sql-injection/ | Exploit, Third Party Advisory | |
| cve@mitre.org | https://demo.ripstech.com/projects/vtiger_6.5.0 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.ripstech.com/2016/vtiger-sql-injection/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://demo.ripstech.com/projects/vtiger_6.5.0 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | 6.5.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:6.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1597C9F3-C9D4-4409-B549-065361E8697C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "modules/Calendar/Activity.php in Vtiger CRM 6.5.0 allows SQL injection via the contactidlist parameter."
},
{
"lang": "es",
"value": "En Vtiger CRM versi\u00f3n 6.5.0, el archivo modules/Calendar/Activity.php permite la inyecci\u00f3n de SQL por medio del par\u00e1metro contactidlist."
}
],
"id": "CVE-2016-10754",
"lastModified": "2024-11-21T02:44:40.170",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-05-24T18:29:00.410",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.ripstech.com/2016/vtiger-sql-injection/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://demo.ripstech.com/projects/vtiger_6.5.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.ripstech.com/2016/vtiger-sql-injection/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://demo.ripstech.com/projects/vtiger_6.5.0"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2006-09-06 22:04
Modified
2025-04-03 01:03
Severity ?
Summary
vtiger CRM 4.2.4, and possibly earlier, allows remote attackers to bypass authentication and access administrative modules via a direct request to index.php with a modified module parameter, as demonstrated using the Settings module.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | 4.2 | |
| vtiger | vtiger_crm | 4.2.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D8B3F151-0398-42C7-B194-FF528696D1E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "57840915-C75E-4D62-A017-E60DD1396D34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "vtiger CRM 4.2.4, and possibly earlier, allows remote attackers to bypass authentication and access administrative modules via a direct request to index.php with a modified module parameter, as demonstrated using the Settings module."
},
{
"lang": "es",
"value": "vtiger CRM 4.2.4, y posiblemente anteriores, permiten a un atacante remoto evitar la validaci\u00f3n y acceder a modulos de administraci\u00f3n a trav\u00e9s de una pregunta directa a index.php con un par\u00e1metro modificado de modulo, como se demostr\u00f3 con el uso del m\u00f3dulo Settings."
}
],
"id": "CVE-2006-4588",
"lastModified": "2025-04-03T01:03:51.193",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2006-09-06T22:04:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/21728"
},
{
"source": "cve@mitre.org",
"url": "http://www.osvdb.org/28462"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.security-net.biz/adv/D3906a.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/19829"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2006/3444"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/21728"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/28462"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.security-net.biz/adv/D3906a.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/19829"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2006/3444"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-08-29 18:15
Modified
2024-09-03 18:34
Severity ?
9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
7.4 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
7.4 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
Summary
A reflected cross-site scripting (XSS) vulnerability in the parent parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://vtiger.com | Product | |
| cve@mitre.org | https://packetstormsecurity.com/files/180462/vTiger-CRM-7.4.0-Cross-Site-Scripting.html | Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | 7.4.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:7.4.0:-:*:*:*:*:*:*",
"matchCriteriaId": "3929CDEE-B429-4C81-B70A-1AC975979606",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A reflected cross-site scripting (XSS) vulnerability in the parent parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user\u0027s browser via injecting a crafted payload."
},
{
"lang": "es",
"value": "Una vulnerabilidad de Cross Site Scripting (XSS) reflejado en el par\u00e1metro principal de la p\u00e1gina de \u00edndice de vTiger CRM 7.4.0 permite a los atacantes ejecutar c\u00f3digo arbitrario en el contexto del navegador de un usuario mediante la inyecci\u00f3n de un payload especialmente manipulado."
}
],
"id": "CVE-2024-44778",
"lastModified": "2024-09-03T18:34:36.987",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.0,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-08-29T18:15:14.633",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "http://vtiger.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://packetstormsecurity.com/files/180462/vTiger-CRM-7.4.0-Cross-Site-Scripting.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2005-11-26 02:03
Modified
2025-04-03 01:03
Severity ?
Summary
The uploads module in vTiger CRM 4.2 and earlier allows remote attackers to upload arbitrary files, such as PHP files, via the add2db action.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "136EE594-73FB-4218-921E-0F5BEEE9F23B",
"versionEndIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The uploads module in vTiger CRM 4.2 and earlier allows remote attackers to upload arbitrary files, such as PHP files, via the add2db action."
}
],
"id": "CVE-2005-3824",
"lastModified": "2025-04-03T01:03:51.193",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2005-11-26T02:03:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://marc.info/?l=full-disclosure\u0026m=113290708121951\u0026w=2"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/17693"
},
{
"source": "cve@mitre.org",
"url": "http://securitytracker.com/id?1015274"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/417711/30/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/15569"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2005/2569"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=full-disclosure\u0026m=113290708121951\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/17693"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securitytracker.com/id?1015274"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/417711/30/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/15569"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2005/2569"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-08-16 17:15
Modified
2025-04-28 14:10
Severity ?
Summary
VTiger CRM <= 8.1.0 does not properly sanitize user input before using it in a SQL statement, leading to a SQL Injection in the "CompanyDetails" operation of the "MailManager" module.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.shielder.com/advisories/vtiger-mailmanager-sqli/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "55C5E8CB-FCC4-4211-A9ED-1AFDE2F99280",
"versionEndIncluding": "8.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "VTiger CRM \u003c= 8.1.0 does not properly sanitize user input before using it in a SQL statement, leading to a SQL Injection in the \"CompanyDetails\" operation of the \"MailManager\" module."
},
{
"lang": "es",
"value": "VTiger CRM \u0026lt;= 8.1.0 no desinfecta adecuadamente la entrada del usuario antes de usarla en una declaraci\u00f3n SQL, lo que genera una inyecci\u00f3n de SQL en la operaci\u00f3n \"CompanyDetails\" del m\u00f3dulo \"MailManager\"."
}
],
"id": "CVE-2024-42994",
"lastModified": "2025-04-28T14:10:13.853",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-08-16T17:15:15.153",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.shielder.com/advisories/vtiger-mailmanager-sqli/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-04-14 18:59
Modified
2025-04-20 01:37
Severity ?
Summary
Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.4.0 allows remote authenticated users to execute arbitrary code by uploading a crafted image file with an executable extension, then accessing it via a direct request to the file in test/logo/. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6000.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://b.fl7.de/2016/01/vtiger-crm-6.4-auth-rce.html | Exploit, Technical Description, Third Party Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/01/12/4 | Mailing List, Third Party Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/01/12/7 | Mailing List | |
| cve@mitre.org | https://www.exploit-db.com/exploits/44379/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://b.fl7.de/2016/01/vtiger-crm-6.4-auth-rce.html | Exploit, Technical Description, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/01/12/4 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/01/12/7 | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/44379/ |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | 6.4.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:6.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2878BBEF-4C27-473A-B107-9422394BF0B2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.4.0 allows remote authenticated users to execute arbitrary code by uploading a crafted image file with an executable extension, then accessing it via a direct request to the file in test/logo/. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6000."
},
{
"lang": "es",
"value": "Vulnerabilidad de subida de archivos sin restricciones en Vtger CRM 6.4.0 en Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php permite a los usuarios autenticados remotos ejecutar c\u00f3digo arbitrario subiendo un archivo de imagen elaborado con una extensi\u00f3n ejecutable y accediendo a ella a trav\u00e9s de una solicitud directa al archivo en test/logo/. NOTA: esta vulnerabilidad existe debido a una correcci\u00f3n incompleta para CVE-2015-6000."
}
],
"id": "CVE-2016-1713",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 8.5,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.3,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-04-14T18:59:00.237",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Technical Description",
"Third Party Advisory"
],
"url": "http://b.fl7.de/2016/01/vtiger-crm-6.4-auth-rce.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/12/4"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/12/7"
},
{
"source": "cve@mitre.org",
"url": "https://www.exploit-db.com/exploits/44379/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Technical Description",
"Third Party Advisory"
],
"url": "http://b.fl7.de/2016/01/vtiger-crm-6.4-auth-rce.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/12/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/12/7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.exploit-db.com/exploits/44379/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-04-29 19:15
Modified
2024-11-21 05:13
Severity ?
Summary
An issue was dicovered in vtiger crm 7.2. Union sql injection in the calendar exportdata feature.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://cloud.tencent.com/developer/article/1612208 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cloud.tencent.com/developer/article/1612208 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | 7.2.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:7.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "67080A37-5696-44F6-ABEC-8F1F6D646E95",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was dicovered in vtiger crm 7.2. Union sql injection in the calendar exportdata feature."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en vtiger crm versi\u00f3n 7.2.\u0026#xa0;Una Inyecci\u00f3n sql de uni\u00f3n en la funcionalidad calendar exportdata."
}
],
"id": "CVE-2020-22807",
"lastModified": "2024-11-21T05:13:25.380",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-04-29T19:15:08.827",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cloud.tencent.com/developer/article/1612208"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cloud.tencent.com/developer/article/1612208"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-05-17 17:29
Modified
2024-11-21 04:20
Severity ?
Summary
SQL injection vulnerability in Vtiger CRM before 7.1.0 hotfix3 allows authenticated users to execute arbitrary SQL commands.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * | |
| vtiger | vtiger_crm | 7.1.0 | |
| vtiger | vtiger_crm | 7.1.0 | |
| vtiger | vtiger_crm | 7.1.0 | |
| vtiger | vtiger_crm | 7.1.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B3EEF382-AB9D-45C3-9B1B-95F67556707C",
"versionEndIncluding": "7.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:7.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "A513046B-B65A-4662-B0E4-AAF11E6351F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:7.1.0:hotfix1:*:*:*:*:*:*",
"matchCriteriaId": "5EBD043D-53C6-4C4C-9D17-0CE7BEC3541C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:7.1.0:hotfix2:*:*:*:*:*:*",
"matchCriteriaId": "4D4311D3-4C53-4238-A37B-16F09959011B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:7.1.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "A1BC8698-9AA0-411D-9F8F-3A6346E3BDF3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in Vtiger CRM before 7.1.0 hotfix3 allows authenticated users to execute arbitrary SQL commands."
},
{
"lang": "es",
"value": "La vulnerabilidad de la inyecci\u00f3n de SQL en Vtiger CRM antes de la revisi\u00f3n 7.1.03 permite a los usuarios autenticados ejecutar comandos SQL arbitrarios."
}
],
"id": "CVE-2019-11057",
"lastModified": "2024-11-21T04:20:27.323",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-05-17T17:29:00.280",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-April/037964.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2019-11057-vtiger.html"
},
{
"source": "cve@mitre.org",
"url": "https://medium.com/%40mohnishdhage/sql-injection-vtiger-crm-v7-1-0-cve-2019-11057-245f84fc5c2c"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-April/037964.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2019-11057-vtiger.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://medium.com/%40mohnishdhage/sql-injection-vtiger-crm-v7-1-0-cve-2019-11057-245f84fc5c2c"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-09-18 20:30
Modified
2025-04-09 00:30
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the Activities module in vtiger CRM 5.0.4 allows remote attackers to inject arbitrary web script or HTML via the action parameter to phprint.php. NOTE: the query_string vector is already covered by CVE-2008-3101.3.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | 5.0.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "84AE51A9-59AF-47F9-8AFC-5219505FD170",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Activities module in vtiger CRM 5.0.4 allows remote attackers to inject arbitrary web script or HTML via the action parameter to phprint.php. NOTE: the query_string vector is already covered by CVE-2008-3101.3."
},
{
"lang": "es",
"value": "Vulnerabilidad de ejecuci\u00f3n de secuencias de comandos en sitios cruzados (XSS) en el m\u00f3dulo Activities en vtiger CRM v5.0.4, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elecci\u00f3n a trav\u00e9s del par\u00e1metro \"action\" al phprint.php. NOTA: el vector query_String actualmente est\u00e1 reportado en el CVE-2008-3101."
}
],
"id": "CVE-2009-3247",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2009-09-18T20:30:00.217",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/36309"
},
{
"source": "cve@mitre.org",
"url": "http://www.exploit-db.com/exploits/9450"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.osvdb.org/57240"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/36062"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.ush.it/2009/08/18/vtiger-crm-504-multiple-vulnerabilities/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/2319"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/36309"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.exploit-db.com/exploits/9450"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.osvdb.org/57240"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/36062"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.ush.it/2009/08/18/vtiger-crm-504-multiple-vulnerabilities/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/2319"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2007-07-06 19:30
Modified
2025-04-09 00:30
Severity ?
Summary
index.php in vtiger CRM before 5.0.3 allows remote authenticated users to obtain all users' names and e-mail addresses, and possibly change user settings, via a modified record parameter in a DetailView action to the Users module. NOTE: the vendor disputes the changing of settings, reporting that the attack vector results in a "You are not permitted to execute this Operation" error message in a 5.0.3 demo.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9E8668A7-60BA-45AA-A159-26890ADB6A0A",
"versionEndIncluding": "5.0.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "index.php in vtiger CRM before 5.0.3 allows remote authenticated users to obtain all users\u0027 names and e-mail addresses, and possibly change user settings, via a modified record parameter in a DetailView action to the Users module. NOTE: the vendor disputes the changing of settings, reporting that the attack vector results in a \"You are not permitted to execute this Operation\" error message in a 5.0.3 demo."
},
{
"lang": "es",
"value": "index.php de vtiger CRM versiones anteriores a 5.0.3 permite a usuarios remotos autenticados obtener todos los nombres de usuario y direcciones de correo electr\u00f3nico, y posiblemente cambiar propiedades de usuario, mediante un par\u00e1metro de registro modificado en una acci\u00f3n DetailView en el m\u00f3dulo Users.\r\nNOTA: El fabricante impugna el cambio de propiedades, argumentando que el vector de ataque concluye con un mensaje de error \"No est\u00e1s autorizado a ejecutar esta Operaci\u00f3n\" en una demostraci\u00f3n 5.0.3."
}
],
"id": "CVE-2007-3598",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2007-07-06T19:30:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://forums.vtiger.com/viewtopic.php?p=38609"
},
{
"source": "cve@mitre.org",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
},
{
"source": "cve@mitre.org",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2664"
},
{
"source": "cve@mitre.org",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2985"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://forums.vtiger.com/viewtopic.php?p=38609"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2664"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2985"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-05-21 21:16
Modified
2025-06-10 19:34
Severity ?
Summary
A vulnerability in Vtiger CRM Open Source Edition v8.3.0 allows an attacker with admin privileges to execute arbitrary PHP code by exploiting the ZIP import functionality in the Module Import feature.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | 8.3.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:8.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "031C0516-9769-485B-8632-F97CC5E45BEA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in Vtiger CRM Open Source Edition v8.3.0 allows an attacker with admin privileges to execute arbitrary PHP code by exploiting the ZIP import functionality in the Module Import feature."
},
{
"lang": "es",
"value": "Una vulnerabilidad en Vtiger CRM Open Source Edition v8.3.0 permite a un atacante con privilegios de administrador ejecutar c\u00f3digo PHP arbitrario explotando la funcionalidad de importaci\u00f3n ZIP en la funci\u00f3n de importaci\u00f3n de m\u00f3dulos."
}
],
"id": "CVE-2025-45753",
"lastModified": "2025-06-10T19:34:41.410",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-05-21T21:16:03.403",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.simonjuguna.com/cve-2025-45753-authenticated-remote-code-execution-vulnerability-in-vtiger-open-source-edition-v8-3-0/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2005-11-26 02:03
Modified
2025-04-03 01:03
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) various input fields, including the contact, lead, and first or last name fields, (2) the record parameter in a DetailView action in the Leads module for index.php, (3) the $_SERVER['PHP_SELF'] variable, which is used in multiple locations such as index.php, and (4) aggregated RSS feeds in the RSS aggregation module.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "136EE594-73FB-4218-921E-0F5BEEE9F23B",
"versionEndIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) various input fields, including the contact, lead, and first or last name fields, (2) the record parameter in a DetailView action in the Leads module for index.php, (3) the $_SERVER[\u0027PHP_SELF\u0027] variable, which is used in multiple locations such as index.php, and (4) aggregated RSS feeds in the RSS aggregation module."
}
],
"id": "CVE-2005-3818",
"lastModified": "2025-04-03T01:03:51.193",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2005-11-26T02:03:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/17693"
},
{
"source": "cve@mitre.org",
"url": "http://securitytracker.com/id?1015271"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://www.hardened-php.net/advisory_232005.105.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.osvdb.org/21227"
},
{
"source": "cve@mitre.org",
"url": "http://www.osvdb.org/21228"
},
{
"source": "cve@mitre.org",
"url": "http://www.osvdb.org/21229"
},
{
"source": "cve@mitre.org",
"url": "http://www.osvdb.org/21230"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/417730/30/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/15562"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2005/2569"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/23362"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/23363"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/17693"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securitytracker.com/id?1015271"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://www.hardened-php.net/advisory_232005.105.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/21227"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/21228"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/21229"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/21230"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/417730/30/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/15562"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2005/2569"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/23362"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/23363"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-04-02 16:05
Modified
2025-04-12 10:46
Severity ?
Summary
Multiple SQL injection vulnerabilities in vTiger CRM 5.0.0 through 5.4.0 allow remote attackers to execute arbitrary SQL commands via the (1) picklist_name parameter in the get_picklists method to soap/customerportal.php, (2) where parameter in the get_tickets_list method to soap/customerportal.php, or (3) emailaddress parameter in the SearchContactsByEmail method to soap/vtigerolservice.php; or remote authenticated users to execute arbitrary SQL commands via the (4) emailaddress parameter in the SearchContactsByEmail method to soap/thunderbirdplugin.php.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | 5.0.0 | |
| vtiger | vtiger_crm | 5.0.1 | |
| vtiger | vtiger_crm | 5.0.2 | |
| vtiger | vtiger_crm | 5.0.3 | |
| vtiger | vtiger_crm | 5.0.4 | |
| vtiger | vtiger_crm | 5.0.4 | |
| vtiger | vtiger_crm | 5.1.0 | |
| vtiger | vtiger_crm | 5.1.0 | |
| vtiger | vtiger_crm | 5.2.0 | |
| vtiger | vtiger_crm | 5.2.1 | |
| vtiger | vtiger_crm | 5.3.0 | |
| vtiger | vtiger_crm | 5.4.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "20038138-B797-40A5-A45B-9AB6C21033D0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DC7C1821-E227-4A80-8350-12F50320BBF2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "98DE0A56-EA74-4EA8-B941-F0DFF0F86F28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "FAF126B8-8BE9-4775-904B-5F6FD0FC97CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "84AE51A9-59AF-47F9-8AFC-5219505FD170",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.4:rc:*:*:*:*:*:*",
"matchCriteriaId": "773AE04C-2478-412F-B961-147E2079B2D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7983E217-C378-4D29-AB23-0A1F6FF483B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.1.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "16C7FC4B-4253-45C5-92A4-26705A1D98FF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A6CC38DA-63AA-4C1B-9626-4C4641E87576",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FBC5BA70-9EB8-4118-AE90-9B450AECCDD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E0C75930-986A-44F0-997F-C7066C696551",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9C606815-FD44-4528-9CCD-1CCA8B59F145",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in vTiger CRM 5.0.0 through 5.4.0 allow remote attackers to execute arbitrary SQL commands via the (1) picklist_name parameter in the get_picklists method to soap/customerportal.php, (2) where parameter in the get_tickets_list method to soap/customerportal.php, or (3) emailaddress parameter in the SearchContactsByEmail method to soap/vtigerolservice.php; or remote authenticated users to execute arbitrary SQL commands via the (4) emailaddress parameter in the SearchContactsByEmail method to soap/thunderbirdplugin.php."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades inyecci\u00f3n SQL en vTiger CRM 5.0.0 hasta 5.4.0 permiten a atacantes remotos ejecutar comandos SQL arbitrarios a trav\u00e9s del (1) par\u00e1metro picklist_name en el m\u00e9todo get_picklists hacia soap/customerportal.php, (2) par\u00e1metro where en el m\u00e9todo get_tickets_list hacia soap/customerportal.php o (3) par\u00e1metro emailaddress en el m\u00e9todo SearchContactsByEmail hacia soap/vtigerolservice.php; o usuarios remotos autenticados ejecutar comandos SQL arbitrarios a trav\u00e9s del (4) par\u00e1metro emailaddress en el m\u00e9todo SearchContactsByEmail hacia soap/thunderbirdplugin.php."
}
],
"id": "CVE-2013-3213",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-04-02T16:05:49.267",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-08/0001.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://karmainsecurity.com/KIS-2013-06"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/61563"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86129"
},
{
"source": "cve@mitre.org",
"url": "https://www.vtiger.com/blogs/?p=1467"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-08/0001.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://karmainsecurity.com/KIS-2013-06"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/61563"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86129"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.vtiger.com/blogs/?p=1467"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2006-09-07 00:04
Modified
2025-04-03 01:03
Severity ?
Summary
Unrestricted file upload vulnerability in fileupload.html in vtiger CRM 4.2.4, and possibly earlier versions, allows remote attackers to upload and execute arbitrary files with executable extensions in the /cashe/mails folder.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3E26BF3B-7A7B-48FB-802E-648AD3FE7F2B",
"versionEndIncluding": "4.2.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unrestricted file upload vulnerability in fileupload.html in vtiger CRM 4.2.4, and possibly earlier versions, allows remote attackers to upload and execute arbitrary files with executable extensions in the /cashe/mails folder."
},
{
"lang": "es",
"value": "Vulnerabilidad de actualizaci\u00f3n de archivo no restrictiva en fileupload.html en vtiger CRM 4.2.4, y posiblemente versiones anteriores, permite a un atacante remoto actualizar y ejecutar ficheros de su elecci\u00f3n con extensiones ejecutables en la carpeta /cashe/mails."
}
],
"id": "CVE-2006-4617",
"lastModified": "2025-04-03T01:03:51.193",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2006-09-07T00:04:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://www.osvdb.org/28459"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.security-net.biz/adv/D3906a.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/28459"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.security-net.biz/adv/D3906a.txt"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-01-29 18:15
Modified
2024-11-21 01:53
Severity ?
Summary
vtiger CRM 5.4.0 and earlier contain an Authentication Bypass Vulnerability due to improper authentication validation in the validateSession function.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/61559 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://exchange.xforce.ibmcloud.com/vulnerabilities/86163 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/61559 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://exchange.xforce.ibmcloud.com/vulnerabilities/86163 | Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "33759AF8-FCE0-4A2B-92B9-8D769E775A76",
"versionEndIncluding": "5.4.0",
"versionStartIncluding": "5.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "vtiger CRM 5.4.0 and earlier contain an Authentication Bypass Vulnerability due to improper authentication validation in the validateSession function."
},
{
"lang": "es",
"value": "vtiger CRM versi\u00f3n 5.4.0 y versiones anteriores, contiene una vulnerabilidad de Omisi\u00f3n de Autenticaci\u00f3n debido a una comprobaci\u00f3n de autenticaci\u00f3n inapropiada en la funci\u00f3n validateSession."
}
],
"id": "CVE-2013-3215",
"lastModified": "2024-11-21T01:53:11.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-01-29T18:15:12.077",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/61559"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86163"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/61559"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86163"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-11-16 01:59
Modified
2025-04-12 10:46
Severity ?
Summary
views/Index.php in the Install module in vTiger 6.0 before Security Patch 2 does not properly restrict access, which allows remote attackers to re-install the application via a request that sets the X-Requested-With HTTP header, as demonstrated by executing arbitrary PHP code via the db_name parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | 1.0 | |
| vtiger | vtiger_crm | 2.0 | |
| vtiger | vtiger_crm | 2.0.1 | |
| vtiger | vtiger_crm | 2.1 | |
| vtiger | vtiger_crm | 3.0 | |
| vtiger | vtiger_crm | 3.0 | |
| vtiger | vtiger_crm | 3.2 | |
| vtiger | vtiger_crm | 4 | |
| vtiger | vtiger_crm | 4 | |
| vtiger | vtiger_crm | 4 | |
| vtiger | vtiger_crm | 4.0 | |
| vtiger | vtiger_crm | 4.0.1 | |
| vtiger | vtiger_crm | 4.2 | |
| vtiger | vtiger_crm | 4.2.4 | |
| vtiger | vtiger_crm | 5.0.0 | |
| vtiger | vtiger_crm | 5.0.1 | |
| vtiger | vtiger_crm | 5.0.2 | |
| vtiger | vtiger_crm | 5.0.3 | |
| vtiger | vtiger_crm | 5.0.4 | |
| vtiger | vtiger_crm | 5.0.4 | |
| vtiger | vtiger_crm | 5.1.0 | |
| vtiger | vtiger_crm | 5.1.0 | |
| vtiger | vtiger_crm | 5.2.0 | |
| vtiger | vtiger_crm | 5.2.1 | |
| vtiger | vtiger_crm | 5.3.0 | |
| vtiger | vtiger_crm | 5.4.0 | |
| vtiger | vtiger_crm | 6.0.0 | |
| vtiger | vtiger_crm | 6.0.0 | |
| vtiger | vtiger_crm | 6.0.0 | |
| vtiger | vtiger_crm | 6.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0E55C900-AAB5-46A2-B650-ED3A9DE52C94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FB4792CC-85E3-4317-A632-5A130E9C6F98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EAB300C8-ABE4-45BA-B260-570DD1E32F6E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BF0C897F-2066-43C3-AB44-EE66DB0C2B22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D67FC276-11EB-4196-BDD9-84D69173EFAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:3.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "81A5C9AA-0C13-4DA4-845B-28CCE80D5A63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "288A4DD7-765B-4957-869F-98A836E4EF0B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4:*:*:*:*:*:*:*",
"matchCriteriaId": "5F5C4B4A-507F-4389-9094-96AE7D84DE93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4:beta:*:*:*:*:*:*",
"matchCriteriaId": "B6CDF5A9-E641-4FC3-8602-D47594524B20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "04C6B97E-408B-49B1-A1F3-C0D1107500D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "23F2DEEE-E081-4ED2-AB1A-9ED966474CDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "33644DF3-9777-405A-A106-1A6B4F1D6FB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D8B3F151-0398-42C7-B194-FF528696D1E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "57840915-C75E-4D62-A017-E60DD1396D34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "20038138-B797-40A5-A45B-9AB6C21033D0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DC7C1821-E227-4A80-8350-12F50320BBF2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "98DE0A56-EA74-4EA8-B941-F0DFF0F86F28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "FAF126B8-8BE9-4775-904B-5F6FD0FC97CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "84AE51A9-59AF-47F9-8AFC-5219505FD170",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.4:rc:*:*:*:*:*:*",
"matchCriteriaId": "773AE04C-2478-412F-B961-147E2079B2D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7983E217-C378-4D29-AB23-0A1F6FF483B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.1.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "16C7FC4B-4253-45C5-92A4-26705A1D98FF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A6CC38DA-63AA-4C1B-9626-4C4641E87576",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FBC5BA70-9EB8-4118-AE90-9B450AECCDD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E0C75930-986A-44F0-997F-C7066C696551",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9C606815-FD44-4528-9CCD-1CCA8B59F145",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7EB06F94-373E-4F6C-8CB8-213FA3A72D67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:6.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "9D79C369-1213-4B81-9CB0-35580B25551C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:6.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "6B9429C4-5A10-4EF6-9C7E-C82CC7D0F55F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:6.0.0:sp1:*:*:*:*:*:*",
"matchCriteriaId": "CAF939F1-16C4-4CED-9DB5-A6A60656D9E0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "views/Index.php in the Install module in vTiger 6.0 before Security Patch 2 does not properly restrict access, which allows remote attackers to re-install the application via a request that sets the X-Requested-With HTTP header, as demonstrated by executing arbitrary PHP code via the db_name parameter."
},
{
"lang": "es",
"value": "views/Index.php en el m\u00f3dulo de instalaci\u00f3n en vTiger 6.0 anterior a Security Patch 2 no restringe correctamente el acceso, lo que permite a atacantes remotos re-instalar la aplicaci\u00f3n a trav\u00e9s de una serie de peticiones configuradas como cabecera tipo X-Requested-With HTTP, como se demostr\u00f3 ejecutando c\u00f3digo arbitrario a trav\u00e9s del par\u00e1metro db_name."
}
],
"id": "CVE-2014-2268",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-11-16T01:59:00.130",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://vtiger-crm.2324883.n4.nabble.com/Vtigercrm-developers-IMP-forgot-password-and-re-installation-security-fix-tt9786.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://www.exploit-db.com/exploits/32794"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/66757"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.navixia.com/blog/entry/navixia-find-critical-vulnerabilities-in-vtiger-crm-cve-2014-2268-cve-2014-2269.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://vtiger-crm.2324883.n4.nabble.com/Vtigercrm-developers-IMP-forgot-password-and-re-installation-security-fix-tt9786.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://www.exploit-db.com/exploits/32794"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/66757"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.navixia.com/blog/entry/navixia-find-critical-vulnerabilities-in-vtiger-crm-cve-2014-2268-cve-2014-2269.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-09-27 23:15
Modified
2025-05-21 15:15
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Vtiger CRM v7.4.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the e-mail template modules.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5D8A1355-909B-47DD-9E07-E5C638066B5C",
"versionEndIncluding": "7.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Vtiger CRM v7.4.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the e-mail template modules."
},
{
"lang": "es",
"value": "Se ha detectado que Vtiger CRM versi\u00f3n v7.4.0, contiene una vulnerabilidad de tipo cross-site scripting (XSS) almacenado por medio de los m\u00f3dulos e-mail template"
}
],
"id": "CVE-2022-38335",
"lastModified": "2025-05-21T15:15:57.697",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-09-27T23:15:15.120",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://code.vtiger.com/vtiger/vtigercrm"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/sbaresearch/advisories/tree/public/2022/SBA-ADV-20220328-01_Vtiger_CRM_Stored_Cross-Site_Scripting"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.vtiger.com/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://code.vtiger.com/vtiger/vtigercrm"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/sbaresearch/advisories/tree/public/2022/SBA-ADV-20220328-01_Vtiger_CRM_Stored_Cross-Site_Scripting"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://www.vtiger.com/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-12-07 19:55
Modified
2025-04-11 00:51
Severity ?
Summary
vtiger CRM before 5.3.0 does not properly recognize the disabled status of a field in the Leads module, which allows remote authenticated users to bypass intended access restrictions by reading a previously created report.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/7003 | Exploit, Vendor Advisory | |
| cve@mitre.org | http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/7004 | Exploit, Vendor Advisory | |
| cve@mitre.org | http://wiki.vtiger.com/index.php/Oct2011:ODUpdate | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/7003 | Exploit, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/7004 | Exploit, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://wiki.vtiger.com/index.php/Oct2011:ODUpdate | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6064A0B5-6F6B-436F-9852-2A23B879CC1C",
"versionEndExcluding": "5.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "vtiger CRM before 5.3.0 does not properly recognize the disabled status of a field in the Leads module, which allows remote authenticated users to bypass intended access restrictions by reading a previously created report."
},
{
"lang": "es",
"value": "vtiger CRM antes de v5.3.0 no reconoce adecuadamente el estado deshabilitado de un campo en el m\u00f3dulo Leads, lo que permite a usuarios autenticados remotamente evitar restricciones de acceso intencionadas leyendo un informe previamente creado."
}
],
"id": "CVE-2011-4679",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-12-07T19:55:02.440",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/7003"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/7004"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://wiki.vtiger.com/index.php/Oct2011:ODUpdate"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/7003"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/7004"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://wiki.vtiger.com/index.php/Oct2011:ODUpdate"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2007-07-06 19:30
Modified
2025-04-09 00:30
Severity ?
Summary
vtiger CRM before 5.0.3, when a migrated build is used, allows remote authenticated users to read certain other users' calendar activities via a (1) home page or (2) event list view.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9E8668A7-60BA-45AA-A159-26890ADB6A0A",
"versionEndIncluding": "5.0.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "vtiger CRM before 5.0.3, when a migrated build is used, allows remote authenticated users to read certain other users\u0027 calendar activities via a (1) home page or (2) event list view."
},
{
"lang": "es",
"value": "vtiger CRM versiones anteriores a 5.0.3, cuando se utiliza una versi\u00f3n migrada, permite a usuarios remotos autenticados leer determinadas actividades de calendario de otros usuarios mediante (1) una p\u00e1gina de inicio \u00f3 (2) una vista de lista de eventos."
}
],
"id": "CVE-2007-3601",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:H/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2007-07-06T19:30:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/45785"
},
{
"source": "cve@mitre.org",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
},
{
"source": "cve@mitre.org",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3990"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/45785"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3990"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-12-02 16:55
Modified
2025-04-11 00:51
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 5.2.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) viewname parameter in a CalendarAjax action, (2) activity_mode parameter in a DetailView action, (3) contact_id and (4) parent_id parameters in an EditView action, (5) day, (6) month, (7) subtab, (8) view, and (9) viewOption parameters in the index action, and (10) start parameter in the ListView action to the Calendar module; (11) return_action and (12) return_module parameters in the EditView action, and (13) query parameter in an index action to the Campaigns module; (14) return_url and (15) workflow_id parameters in an editworkflow action to the com_vtiger_workflow module; (16) display_view parameter in an index action to the Dashboard module; (17) closingdate_end, (18) closingdate_start, (19) date_closed, (20) owner, (21) leadsource, (22) sales_stage, and (23) type parameters in a ListView action to the Potentials module; (24) folderid parameter in a SaveandRun action to the Reports module; (25) returnaction and (26) groupId parameters in a createnewgroup action, (27) mode and (28) parent parameters in a createrole action, (29) src_module in a ModuleManager action, (30) mode and (31) profile_id parameters in a profilePrivileges action, and (32) roleid parameter in a RoleDetailView to the Settings module; and (33) action parameter to the Home module and (34) module parameter to phprint.php.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "86EA5190-ADF3-4A18-9344-D335BF31CC44",
"versionEndIncluding": "5.2.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 5.2.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) viewname parameter in a CalendarAjax action, (2) activity_mode parameter in a DetailView action, (3) contact_id and (4) parent_id parameters in an EditView action, (5) day, (6) month, (7) subtab, (8) view, and (9) viewOption parameters in the index action, and (10) start parameter in the ListView action to the Calendar module; (11) return_action and (12) return_module parameters in the EditView action, and (13) query parameter in an index action to the Campaigns module; (14) return_url and (15) workflow_id parameters in an editworkflow action to the com_vtiger_workflow module; (16) display_view parameter in an index action to the Dashboard module; (17) closingdate_end, (18) closingdate_start, (19) date_closed, (20) owner, (21) leadsource, (22) sales_stage, and (23) type parameters in a ListView action to the Potentials module; (24) folderid parameter in a SaveandRun action to the Reports module; (25) returnaction and (26) groupId parameters in a createnewgroup action, (27) mode and (28) parent parameters in a createrole action, (29) src_module in a ModuleManager action, (30) mode and (31) profile_id parameters in a profilePrivileges action, and (32) roleid parameter in a RoleDetailView to the Settings module; and (33) action parameter to the Home module and (34) module parameter to phprint.php."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de tipo cross-site scripting (XSS) en vTiger CRM versi\u00f3n 5.2.1 y anteriores, permiten a los atacantes remotos inyectar script web o HTML arbitrario por medio del (1) par\u00e1metro viewname en una acci\u00f3n CalendarAjax, (2) par\u00e1metro activity_mode en una acci\u00f3n DetailView, par\u00e1metros (3) contact_id y (4) parent_id en una acci\u00f3n EditView, par\u00e1metros (5) day, (6) month, (7) subtab, (8) view y (9) viewOption en la acci\u00f3n index y par\u00e1metro (10) start en la acci\u00f3n ListView en el m\u00f3dulo Calendar; par\u00e1metros (11) return_action y (12) return_modules en la acci\u00f3n EditView y par\u00e1metro (13) query en una acci\u00f3n index en el m\u00f3dulo Campaigns; par\u00e1metros (14) return_url y (15) workflow_ids en una acci\u00f3n editworkflow en el m\u00f3dulo com_vtiger_workflow; par\u00e1metro (16) display_view en una acci\u00f3n index para el m\u00f3dulo Dashboard; par\u00e1metros (17) closingdate_end, (18) closingdate_start, (19) date_closed, (20) owner, (21) leadsource, (22) sales_stage y (23) type en una acci\u00f3n ListView para el m\u00f3dulo Potentials; par\u00e1metro (24) folderid en una acci\u00f3n SaveandRun en el m\u00f3dulo Reports; par\u00e1metros (25) returnaction y (26) groupId en una acci\u00f3n createnewgroup, par\u00e1metros (27) mode y (28) parent en una acci\u00f3n createrole, par\u00e1metro (29) src_module en una acci\u00f3n ModuleManager, par\u00e1metros (30) mode y (31) profile_id en una acci\u00f3n profilePrivileges y par\u00e1metro (32) roleid en un RoleDetailView para el m\u00f3dulo Settings; y par\u00e1metro (33) action para el m\u00f3dulo Home y (34) module en el archivo phprint.php."
}
],
"id": "CVE-2011-4670",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2011-12-02T16:55:02.420",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://osvdb.org/76005"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://osvdb.org/76006"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2011/Oct/154"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/519993/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/49927"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://yehg.net/lab/pr0js/advisories/%5BvTiger_5.2.1%5D_XSS"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/70306"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/36203/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/36204/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://osvdb.org/76005"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://osvdb.org/76006"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2011/Oct/154"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/519993/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/49927"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://yehg.net/lab/pr0js/advisories/%5BvTiger_5.2.1%5D_XSS"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/70306"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/36203/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/36204/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-09-18 20:30
Modified
2025-04-09 00:30
Severity ?
Summary
The saveForwardAttachments procedure in the Compose Mail functionality in vtiger CRM 5.0.4 allows remote authenticated users to execute arbitrary code by composing an e-mail message with an attachment filename ending in (1) .php in installations based on certain Apache HTTP Server configurations, (2) .php. on Windows, or (3) .php/ on Linux, and then making a direct request to a certain pathname under storage/.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | 5.0.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "84AE51A9-59AF-47F9-8AFC-5219505FD170",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The saveForwardAttachments procedure in the Compose Mail functionality in vtiger CRM 5.0.4 allows remote authenticated users to execute arbitrary code by composing an e-mail message with an attachment filename ending in (1) .php in installations based on certain Apache HTTP Server configurations, (2) .php. on Windows, or (3) .php/ on Linux, and then making a direct request to a certain pathname under storage/."
},
{
"lang": "es",
"value": "El procedimiento \"saveForwardAttachments\" de la funcionalidad \"Crear correo\" de vtiger CRM v5.0.4 permite a usuarios remotos autenticados ejecutar c\u00f3digo de su elecci\u00f3n creando un mensaje de correo electr\u00f3nico con un fichero adjunto cuyo nombre acabe en (1) .php en entornos basados en configuraciones determinadas del servidor HTTP Apache, (2) .php. en Windows, o (3) .php/ en Linux; y, a continuaci\u00f3n, realizando una petici\u00f3n directa a una ruta de directorio bajostorage/."
}
],
"id": "CVE-2009-3250",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2009-09-18T20:30:00.313",
"references": [
{
"source": "cve@mitre.org",
"url": "http://marc.info/?l=bugtraq\u0026m=125060676515670\u0026w=2"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/36309"
},
{
"source": "cve@mitre.org",
"url": "http://www.exploit-db.com/exploits/9450"
},
{
"source": "cve@mitre.org",
"url": "http://www.osvdb.org/57237"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/36062"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.ush.it/2009/08/18/vtiger-crm-504-multiple-vulnerabilities/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/2319"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=125060676515670\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/36309"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.exploit-db.com/exploits/9450"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/57237"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/36062"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.ush.it/2009/08/18/vtiger-crm-504-multiple-vulnerabilities/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/2319"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-01-28 21:15
Modified
2024-11-21 01:53
Severity ?
Summary
vtiger CRM 5.4.0 and earlier contain local file-include vulnerabilities in 'customerportal.php' which allows remote attackers to view files and execute local script code.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.exploit-db.com/exploits/27279 | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | http://www.securityfocus.com/bid/61560 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://exchange.xforce.ibmcloud.com/vulnerabilities/86162 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.exploit-db.com/exploits/27279 | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/61560 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://exchange.xforce.ibmcloud.com/vulnerabilities/86162 | Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "438D7E04-6248-46B3-B357-2C2C9492B96F",
"versionEndIncluding": "5.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "vtiger CRM 5.4.0 and earlier contain local file-include vulnerabilities in \u0027customerportal.php\u0027 which allows remote attackers to view files and execute local script code."
},
{
"lang": "es",
"value": "vtiger CRM versiones 5.4.0 y anteriores, contienen vulnerabilidades de inclusi\u00f3n de archivo local en el archivo \"customerportal.php\" que permite a atacantes remotos visualizar archivos y ejecutar c\u00f3digo de script local."
}
],
"id": "CVE-2013-3212",
"lastModified": "2024-11-21T01:53:11.407",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-01-28T21:15:11.637",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.exploit-db.com/exploits/27279"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/61560"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86162"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.exploit-db.com/exploits/27279"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/61560"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86162"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-09-18 20:30
Modified
2025-04-09 00:30
Severity ?
Summary
include/utils/ListViewUtils.php in vtiger CRM before 5.1.0 allows remote authenticated users to bypass intended access restrictions and read the (1) visibility, (2) location, and (3) recurrence fields of a calendar via a custom view.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://secunia.com/advisories/36309 | Third Party Advisory | |
| cve@mitre.org | http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/12407 | Patch, Vendor Advisory | |
| cve@mitre.org | http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/4208 | Issue Tracking, Vendor Advisory | |
| cve@mitre.org | http://www.osvdb.org/57241 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://secunia.com/advisories/36309 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/12407 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/4208 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.osvdb.org/57241 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "29C2C106-F074-445B-9C3C-B28252EE36D6",
"versionEndIncluding": "5.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "include/utils/ListViewUtils.php in vtiger CRM before 5.1.0 allows remote authenticated users to bypass intended access restrictions and read the (1) visibility, (2) location, and (3) recurrence fields of a calendar via a custom view."
},
{
"lang": "es",
"value": "include/utils/ListViewUtils.php en vtiger CRM anteriores a 5.1.0 permite a usuarios remotos autenticados evitar las restricciones de acceso previstas y leer los campos (1) visibilidad, (2) localizaci\u00f3n, y (3) recurrencia de un calendario a trav\u00e9s de una vista personalizada."
}
],
"id": "CVE-2009-3251",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2009-09-18T20:30:00.327",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/36309"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/12407"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/4208"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://www.osvdb.org/57241"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/36309"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/12407"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/4208"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.osvdb.org/57241"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-08-29 18:15
Modified
2025-03-25 17:16
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
An Open Redirect vulnerability in the page parameter of vTiger CRM v7.4.0 allows attackers to redirect users to a malicious site via a crafted URL.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://vtiger.com | Product | |
| cve@mitre.org | https://packetstormsecurity.com/files/180461/vTiger-CRM-7.4.0-Open-Redirection.html | Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | 7.4.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:7.4.0:-:*:*:*:*:*:*",
"matchCriteriaId": "3929CDEE-B429-4C81-B70A-1AC975979606",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An Open Redirect vulnerability in the page parameter of vTiger CRM v7.4.0 allows attackers to redirect users to a malicious site via a crafted URL."
},
{
"lang": "es",
"value": "Una vulnerabilidad de redirecci\u00f3n abierta en el par\u00e1metro de p\u00e1gina de vTiger CRM v7.4.0 permite a los atacantes redirigir a los usuarios a un sitio malicioso a trav\u00e9s de una URL creada espec\u00edficamente para ello."
}
],
"id": "CVE-2024-44776",
"lastModified": "2025-03-25T17:16:09.703",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-08-29T18:15:14.440",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "http://vtiger.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://packetstormsecurity.com/files/180461/vTiger-CRM-7.4.0-Open-Redirection.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-06-06 19:29
Modified
2024-11-21 04:13
Severity ?
Summary
vtiger CRM 7.0.1 is affected by one reflected Cross-Site Scripting (XSS) vulnerability affecting version 7.0.1 and probably prior versions. This vulnerability could allow remote unauthenticated attackers to inject arbitrary web script or HTML via index.php?module=Contacts&view=List (app parameter).
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2018-001 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2018-001 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B3EEF382-AB9D-45C3-9B1B-95F67556707C",
"versionEndIncluding": "7.0.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "vtiger CRM 7.0.1 is affected by one reflected Cross-Site Scripting (XSS) vulnerability affecting version 7.0.1 and probably prior versions. This vulnerability could allow remote unauthenticated attackers to inject arbitrary web script or HTML via index.php?module=Contacts\u0026view=List (app parameter)."
},
{
"lang": "es",
"value": "vtiger CRM 7.0.1 est\u00e1 afectado por una vulnerabilidad reflejada de secuencias de comandos entre sitios (XSS) que afecta a la versi\u00f3n 7.0.1 y probablemente a las versiones anteriores. Esta vulnerabilidad podr\u00eda permitir a los atacantes remotos no identificados inyectar un script web o HTML arbitrario a trav\u00e9s de index.php? Module = Contacts \u0026 view = List (par\u00e1metro de la aplicaci\u00f3n)."
}
],
"id": "CVE-2018-8047",
"lastModified": "2024-11-21T04:13:11.237",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-06-06T19:29:00.250",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2018-001"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2018-001"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-04-22 13:06
Modified
2025-04-12 10:46
Severity ?
Summary
modules/Users/ForgotPassword.php in vTiger 6.0 before Security Patch 2 allows remote attackers to reset the password for arbitrary users via a request containing the username, password, and confirmPassword parameters.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | 6.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7EB06F94-373E-4F6C-8CB8-213FA3A72D67",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "modules/Users/ForgotPassword.php in vTiger 6.0 before Security Patch 2 allows remote attackers to reset the password for arbitrary users via a request containing the username, password, and confirmPassword parameters."
},
{
"lang": "es",
"value": "modules/Users/ForgotPassword.php en vTiger 6.0 anterior a Security Patch 2 permite a atacantes remotos restablecer la contrase\u00f1a para usuarios arbitrarios a trav\u00e9s de una solicitud que contiene los par\u00e1metros username, password y confirmPassword."
}
],
"id": "CVE-2014-2269",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.4,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-04-22T13:06:28.523",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://vtiger-crm.2324883.n4.nabble.com/Vtigercrm-developers-IMP-forgot-password-and-re-installation-security-fix-tt9786.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/66758"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://vtiger-crm.2324883.n4.nabble.com/Vtigercrm-developers-IMP-forgot-password-and-re-installation-security-fix-tt9786.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/66758"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-09-18 21:30
Modified
2025-04-09 00:30
Severity ?
Summary
vtiger CRM before 5.1.0 allows remote authenticated users, with certain View privileges, to delete (1) attachments, (2) reports, (3) filters, (4) views, and (5) tickets; insert (6) attachments, (7) reports, (8) filters, (9) views, and (10) tickets; and edit (11) reports, (12) filters, (13) views, and (14) tickets via unspecified vectors.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://forums.vtiger.com/viewtopic.php?t=15094 | Vendor Advisory | |
| cve@mitre.org | http://forums.vtiger.com/viewtopic.php?t=16756 | Vendor Advisory | |
| cve@mitre.org | http://secunia.com/advisories/36309 | Third Party Advisory | |
| cve@mitre.org | http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5249 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://forums.vtiger.com/viewtopic.php?t=15094 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://forums.vtiger.com/viewtopic.php?t=16756 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://secunia.com/advisories/36309 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5249 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | 1.0 | |
| vtiger | vtiger_crm | 2.0 | |
| vtiger | vtiger_crm | 2.0.1 | |
| vtiger | vtiger_crm | 2.1 | |
| vtiger | vtiger_crm | 3 | |
| vtiger | vtiger_crm | 3.0 | |
| vtiger | vtiger_crm | 3.0 | |
| vtiger | vtiger_crm | 3.2 | |
| vtiger | vtiger_crm | 4 | |
| vtiger | vtiger_crm | 4 | |
| vtiger | vtiger_crm | 4 | |
| vtiger | vtiger_crm | 4 | |
| vtiger | vtiger_crm | 4.0 | |
| vtiger | vtiger_crm | 4.0.1 | |
| vtiger | vtiger_crm | 4.2 | |
| vtiger | vtiger_crm | 4.2 | |
| vtiger | vtiger_crm | 4.2.4 | |
| vtiger | vtiger_crm | 5.0.0 | |
| vtiger | vtiger_crm | 5.0.2 | |
| vtiger | vtiger_crm | 5.0.3 | |
| vtiger | vtiger_crm | 5.0.4 | |
| vtiger | vtiger_crm | 5.1.0 | |
| vtiger | vtiger_crm | 5.1.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0E55C900-AAB5-46A2-B650-ED3A9DE52C94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FB4792CC-85E3-4317-A632-5A130E9C6F98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EAB300C8-ABE4-45BA-B260-570DD1E32F6E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BF0C897F-2066-43C3-AB44-EE66DB0C2B22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:3:*:*:*:*:*:*:*",
"matchCriteriaId": "458323BE-8583-435D-85B6-9F5F66F664A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D67FC276-11EB-4196-BDD9-84D69173EFAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:3.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "81A5C9AA-0C13-4DA4-845B-28CCE80D5A63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "288A4DD7-765B-4957-869F-98A836E4EF0B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4:*:*:*:*:*:*:*",
"matchCriteriaId": "5F5C4B4A-507F-4389-9094-96AE7D84DE93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4:beta:*:*:*:*:*:*",
"matchCriteriaId": "B6CDF5A9-E641-4FC3-8602-D47594524B20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4:beta:*:it:*:*:*:*",
"matchCriteriaId": "83868C6E-8280-428D-9162-443FE263581F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "04C6B97E-408B-49B1-A1F3-C0D1107500D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "23F2DEEE-E081-4ED2-AB1A-9ED966474CDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "33644DF3-9777-405A-A106-1A6B4F1D6FB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D8B3F151-0398-42C7-B194-FF528696D1E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.2:*:*:*:validation:*:*:*",
"matchCriteriaId": "DA72C37D-EB9E-46BD-946C-B87DAC303CDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "57840915-C75E-4D62-A017-E60DD1396D34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "20038138-B797-40A5-A45B-9AB6C21033D0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "98DE0A56-EA74-4EA8-B941-F0DFF0F86F28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "FAF126B8-8BE9-4775-904B-5F6FD0FC97CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "84AE51A9-59AF-47F9-8AFC-5219505FD170",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7983E217-C378-4D29-AB23-0A1F6FF483B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.1.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "16C7FC4B-4253-45C5-92A4-26705A1D98FF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "vtiger CRM before 5.1.0 allows remote authenticated users, with certain View privileges, to delete (1) attachments, (2) reports, (3) filters, (4) views, and (5) tickets; insert (6) attachments, (7) reports, (8) filters, (9) views, and (10) tickets; and edit (11) reports, (12) filters, (13) views, and (14) tickets via unspecified vectors."
},
{
"lang": "es",
"value": "vtiger CRM anteriores a v5.1.0 permite a usuarios autenticados, con algunos privilegios de Vista, borrar (1) adjuntos, (2) informes, (3) filtros, (4) Vistas, y (5) tickets; insertar (6) adjuntos, (7) informes, (8) filtros, (9) vistas, y (10) tickets; y editar (11) informes, (12) filtros, (13) vistas, y (14) tickets a trav\u00e9s de vectores sin especificar."
}
],
"id": "CVE-2009-3258",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2009-09-18T21:30:00.967",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://forums.vtiger.com/viewtopic.php?t=15094"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://forums.vtiger.com/viewtopic.php?t=16756"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/36309"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5249"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://forums.vtiger.com/viewtopic.php?t=15094"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://forums.vtiger.com/viewtopic.php?t=16756"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/36309"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5249"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2005-11-26 02:03
Modified
2025-04-03 01:03
Severity ?
Summary
The Users module in vTiger CRM 4.2 and earlier allows remote attackers to execute arbitrary PHP code via an arbitrary file in the templatename parameter, which is passed to the eval function.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "136EE594-73FB-4218-921E-0F5BEEE9F23B",
"versionEndIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Users module in vTiger CRM 4.2 and earlier allows remote attackers to execute arbitrary PHP code via an arbitrary file in the templatename parameter, which is passed to the eval function."
}
],
"id": "CVE-2005-3823",
"lastModified": "2025-04-03T01:03:51.193",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2005-11-26T02:03:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://marc.info/?l=full-disclosure\u0026m=113290708121951\u0026w=2"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/17693"
},
{
"source": "cve@mitre.org",
"url": "http://securitytracker.com/id?1015274"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/417711/30/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/15569"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2005/2569"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=full-disclosure\u0026m=113290708121951\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/17693"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securitytracker.com/id?1015274"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/417711/30/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/15569"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2005/2569"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2007-07-06 19:30
Modified
2025-04-09 00:30
Severity ?
Summary
WordPlugin in the wordintegration component in vtiger CRM before 5.0.3 allows remote authenticated users to bypass field level security permissions and merge arbitrary fields in an Email template, as demonstrated by the fields in the Contact module.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9E8668A7-60BA-45AA-A159-26890ADB6A0A",
"versionEndIncluding": "5.0.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "WordPlugin in the wordintegration component in vtiger CRM before 5.0.3 allows remote authenticated users to bypass field level security permissions and merge arbitrary fields in an Email template, as demonstrated by the fields in the Contact module."
},
{
"lang": "es",
"value": "WordPlugin en el componente wordintegration de vtiger CRM versiones anteriores a 5.0.3 permite a usuarios remotos autenticados evitar permisos de seguridad a nivel de campo y mezclar ficheros de su elecci\u00f3n en una plantilla de correo electr\u00f3nico, como se demuestra con los campos del m\u00f3dulo Contact."
}
],
"id": "CVE-2007-3600",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2007-07-06T19:30:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/45784"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/10845"
},
{
"source": "cve@mitre.org",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
},
{
"source": "cve@mitre.org",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3790"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/45784"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/10845"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3790"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-01-10 18:15
Modified
2025-04-17 02:38
Severity ?
Summary
Vtiger CRM v.6.1 and before is vulnerable to Cross Site Scripting (XSS) via the Documents module and function uploadAndSaveFile in CRMEntity.php.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://andrea0.medium.com | Third Party Advisory | |
| cve@mitre.org | https://andrea0.medium.com/analysis-of-cve-2024-54687-9d82f4c0eaa8 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "260C7260-2DC8-4E0E-930B-639AE2CA452E",
"versionEndIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Vtiger CRM v.6.1 and before is vulnerable to Cross Site Scripting (XSS) via the Documents module and function uploadAndSaveFile in CRMEntity.php."
},
{
"lang": "es",
"value": "Vtiger CRM v.6.1 y anteriores son vulnerables a Cross Site Scripting (XSS) a trav\u00e9s del m\u00f3dulo Documentos y la funci\u00f3n uploadAndSaveFile en CRMEntity.php."
}
],
"id": "CVE-2024-54687",
"lastModified": "2025-04-17T02:38:37.987",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-01-10T18:15:22.630",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://andrea0.medium.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://andrea0.medium.com/analysis-of-cve-2024-54687-9d82f4c0eaa8"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2005-11-26 02:03
Modified
2025-04-03 01:03
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in vTiger CRM 4.2 and earlier allows remote attackers to inject arbitrary web script or HTML via multiple vectors, including the account name.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "136EE594-73FB-4218-921E-0F5BEEE9F23B",
"versionEndIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in vTiger CRM 4.2 and earlier allows remote attackers to inject arbitrary web script or HTML via multiple vectors, including the account name."
}
],
"id": "CVE-2005-3821",
"lastModified": "2025-04-03T01:03:51.193",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2005-11-26T02:03:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://marc.info/?l=full-disclosure\u0026m=113290708121951\u0026w=2"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/17693"
},
{
"source": "cve@mitre.org",
"url": "http://securitytracker.com/id?1015274"
},
{
"source": "cve@mitre.org",
"url": "http://www.osvdb.org/21232"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/417711/30/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/15569"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2005/2569"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=full-disclosure\u0026m=113290708121951\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/17693"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securitytracker.com/id?1015274"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/21232"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/417711/30/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/15569"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2005/2569"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-08-12 23:55
Modified
2025-04-12 10:46
Severity ?
Summary
Directory traversal vulnerability in kcfinder/browse.php in Vtiger CRM before 6.0.0 Security patch 1 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter in a download action. NOTE: it is likely that this issue is actually in the KCFinder third-party component, and it affects additional products besides Vtiger CRM.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D37B092E-EA7C-4077-8818-751A4A189110",
"versionEndIncluding": "6.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in kcfinder/browse.php in Vtiger CRM before 6.0.0 Security patch 1 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter in a download action. NOTE: it is likely that this issue is actually in the KCFinder third-party component, and it affects additional products besides Vtiger CRM."
},
{
"lang": "es",
"value": "Vulnerabilidad de salto de directorio en kcfinder/browse.php en Vtiger CRM en versiones anteriores a 6.0.0 Security patch 1 permite a usuarios remotos autenticados leer archivos arbitrarios a trav\u00e9s de un .. (punto punto) en el par\u00e1metro file en una acci\u00f3n de descarga. NOTA: es probable que este problema sea en realidad en el componente de terceros KCFinder, y que afecta a productos adicionales adem\u00e1s de a Vtiger CRM."
}
],
"id": "CVE-2014-1222",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-08-12T23:55:03.360",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%206.0.0/Add-ons/vtigercrm-600-security-patch1.zip/download"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/531423/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-1222/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%206.0.0/Add-ons/vtigercrm-600-security-patch1.zip/download"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/531423/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-1222/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-05-21 20:15
Modified
2025-06-10 19:34
Severity ?
Summary
A Stored Cross-Site Scripting (XSS) vulnerability exists in Vtiger CRM Open Source Edition v8.3.0, exploitable via the Services Import feature. An attacker can craft a malicious CSV file containing an XSS payload, mapped to the Service Name field. When the file is uploaded, the application improperly sanitizes user input, leading to persistent script execution.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | 8.3.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:8.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "031C0516-9769-485B-8632-F97CC5E45BEA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A Stored Cross-Site Scripting (XSS) vulnerability exists in Vtiger CRM Open Source Edition v8.3.0, exploitable via the Services Import feature. An attacker can craft a malicious CSV file containing an XSS payload, mapped to the Service Name field. When the file is uploaded, the application improperly sanitizes user input, leading to persistent script execution."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de Cross-Site Scripting (XSS) Almacenado en Vtiger CRM Open Source Edition v8.3.0, explotable mediante la funci\u00f3n de importaci\u00f3n de servicios. Un atacante puede crear un archivo CSV malicioso que contenga un payload XSS, asignada al campo \"Nombre del servicio\". Al cargar el archivo, la aplicaci\u00f3n depura incorrectamente la entrada del usuario, lo que provoca la ejecuci\u00f3n persistente del script."
}
],
"id": "CVE-2025-45755",
"lastModified": "2025-06-10T19:34:54.193",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-05-21T20:15:32.227",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.simonjuguna.com/cve-2025-45755-stored-cross-site-scripting-xss-vulnerability-in-vtiger-open-source-edition-v8-3-0/"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.vtiger.com/open-source-crm/"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Third Party Advisory"
],
"url": "https://www.simonjuguna.com/cve-2025-45755-stored-cross-site-scripting-xss-vulnerability-in-vtiger-open-source-edition-v8-3-0/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2007-07-06 19:30
Modified
2025-04-09 00:30
Severity ?
Summary
index.php in vtiger CRM before 5.0.3 allows remote authenticated users to perform administrative changes to arbitrary profile settings via a certain profilePrivileges action in the Users module.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9E8668A7-60BA-45AA-A159-26890ADB6A0A",
"versionEndIncluding": "5.0.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "index.php in vtiger CRM before 5.0.3 allows remote authenticated users to perform administrative changes to arbitrary profile settings via a certain profilePrivileges action in the Users module."
},
{
"lang": "es",
"value": "index.php de vtiger CRM versiones anteriores a 5.0.3 permite a usuarios remotos autenticados realizar cambios administrativos a propiedades de perfil de su elecci\u00f3n mediante una acci\u00f3n profilePrivileges determinada en el m\u00f3dulo Users."
}
],
"id": "CVE-2007-3616",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2007-07-06T19:30:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
},
{
"source": "cve@mitre.org",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2237"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2237"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-10-14 14:15
Modified
2024-10-30 14:32
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Vtiger CRM v8.2.0 has a HTML Injection vulnerability in the module parameter. Authenticated users can inject arbitrary HTML.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://okankurtulus.com.tr/2024/09/12/vtiger-crm-v8-2-0-html-injection-authenticated/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | 8.2.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:8.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "AA9F48EF-E904-41D7-98C3-F5F49D539F97",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Vtiger CRM v8.2.0 has a HTML Injection vulnerability in the module parameter. Authenticated users can inject arbitrary HTML."
},
{
"lang": "es",
"value": "Vtiger CRM v8.2.0 tiene una vulnerabilidad de inyecci\u00f3n de HTML en el par\u00e1metro del m\u00f3dulo. Los usuarios autenticados pueden inyectar HTML arbitrario."
}
],
"id": "CVE-2024-48119",
"lastModified": "2024-10-30T14:32:43.217",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-10-14T14:15:11.597",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://okankurtulus.com.tr/2024/09/12/vtiger-crm-v8-2-0-html-injection-authenticated/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-01-20 01:15
Modified
2024-11-21 05:09
Severity ?
Summary
Vtiger CRM v7.2.0 allows an attacker to display hidden files, list directories by using /libraries and /layout directories.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://emreovunc.com/blog/en/vtiger_crm_directorylisting_01.png | Third Party Advisory | |
| cve@mitre.org | https://emreovunc.com/blog/en/vtiger_crm_directorylisting_02.png | Third Party Advisory | |
| cve@mitre.org | https://github.com/EmreOvunc/Vtiger-CRM-Vulnerabilities/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://emreovunc.com/blog/en/vtiger_crm_directorylisting_01.png | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://emreovunc.com/blog/en/vtiger_crm_directorylisting_02.png | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/EmreOvunc/Vtiger-CRM-Vulnerabilities/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | 7.2.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:7.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "67080A37-5696-44F6-ABEC-8F1F6D646E95",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Vtiger CRM v7.2.0 allows an attacker to display hidden files, list directories by using /libraries and /layout directories."
},
{
"lang": "es",
"value": "Vtiger CRM versi\u00f3n v7.2.0, permite a un atacante mostrar archivos ocultos, listar directorios al usar los directorios /libraries y /layout"
}
],
"id": "CVE-2020-19363",
"lastModified": "2024-11-21T05:09:09.387",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-01-20T01:15:13.397",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://emreovunc.com/blog/en/vtiger_crm_directorylisting_01.png"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://emreovunc.com/blog/en/vtiger_crm_directorylisting_02.png"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/EmreOvunc/Vtiger-CRM-Vulnerabilities/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://emreovunc.com/blog/en/vtiger_crm_directorylisting_01.png"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://emreovunc.com/blog/en/vtiger_crm_directorylisting_02.png"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/EmreOvunc/Vtiger-CRM-Vulnerabilities/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-09-06 17:55
Modified
2025-04-11 00:51
Severity ?
Summary
Directory traversal vulnerability in modules/com_vtiger_workflow/sortfieldsjson.php in vtiger CRM 5.1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the module_name parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | 5.1.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7983E217-C378-4D29-AB23-0A1F6FF483B7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in modules/com_vtiger_workflow/sortfieldsjson.php in vtiger CRM 5.1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the module_name parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de directorio transversal en modules/com_vtiger_workflow/sortfieldsjson.php en vtiger CRM v5.1.0 permite a atacantes remotos leer archivos de su elecci\u00f3n a trav\u00e9s de .. (punto punto) en el par\u00e1metro module_name."
}
],
"id": "CVE-2012-4867",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2012-09-06T17:55:01.707",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.org/files/111075/Vtiger-5.1.0-Local-File-Inclusion.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.exploit-db.com/exploits/18635"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.org/files/111075/Vtiger-5.1.0-Local-File-Inclusion.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.exploit-db.com/exploits/18635"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-09-18 20:30
Modified
2025-04-09 00:30
Severity ?
Summary
Multiple directory traversal vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the module parameter to graph.php; or the (2) module or (3) file parameter to include/Ajax/CommonAjax.php, reachable through modules/Campaigns/CampaignsAjax.php, modules/SalesOrder/SalesOrderAjax.php, modules/System/SystemAjax.php, modules/Products/ProductsAjax.php, modules/uploads/uploadsAjax.php, modules/Dashboard/DashboardAjax.php, modules/Potentials/PotentialsAjax.php, modules/Notes/NotesAjax.php, modules/Faq/FaqAjax.php, modules/Quotes/QuotesAjax.php, modules/Utilities/UtilitiesAjax.php, modules/Calendar/ActivityAjax.php, modules/Calendar/CalendarAjax.php, modules/PurchaseOrder/PurchaseOrderAjax.php, modules/HelpDesk/HelpDeskAjax.php, modules/Invoice/InvoiceAjax.php, modules/Accounts/AccountsAjax.php, modules/Reports/ReportsAjax.php, modules/Contacts/ContactsAjax.php, and modules/Portal/PortalAjax.php; and allow remote authenticated users to include and execute arbitrary local files via a .. (dot dot) in the step parameter in an Import action to the (4) Accounts, (5) Contacts, (6) HelpDesk, (7) Leads, (8) Potentials, (9) Products, or (10) Vendors module, reachable through index.php and related to modules/Import/index.php and multiple Import.php files.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | 5.0.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "84AE51A9-59AF-47F9-8AFC-5219505FD170",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple directory traversal vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the module parameter to graph.php; or the (2) module or (3) file parameter to include/Ajax/CommonAjax.php, reachable through modules/Campaigns/CampaignsAjax.php, modules/SalesOrder/SalesOrderAjax.php, modules/System/SystemAjax.php, modules/Products/ProductsAjax.php, modules/uploads/uploadsAjax.php, modules/Dashboard/DashboardAjax.php, modules/Potentials/PotentialsAjax.php, modules/Notes/NotesAjax.php, modules/Faq/FaqAjax.php, modules/Quotes/QuotesAjax.php, modules/Utilities/UtilitiesAjax.php, modules/Calendar/ActivityAjax.php, modules/Calendar/CalendarAjax.php, modules/PurchaseOrder/PurchaseOrderAjax.php, modules/HelpDesk/HelpDeskAjax.php, modules/Invoice/InvoiceAjax.php, modules/Accounts/AccountsAjax.php, modules/Reports/ReportsAjax.php, modules/Contacts/ContactsAjax.php, and modules/Portal/PortalAjax.php; and allow remote authenticated users to include and execute arbitrary local files via a .. (dot dot) in the step parameter in an Import action to the (4) Accounts, (5) Contacts, (6) HelpDesk, (7) Leads, (8) Potentials, (9) Products, or (10) Vendors module, reachable through index.php and related to modules/Import/index.php and multiple Import.php files."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de salto de directorio en vtiger CRM versi\u00f3n 5.0.4, permiten a los atacantes remotos incluir y ejecutar archivos locales arbitrarios por medio de un .. (punto punto) en (1) el par\u00e1metro module en el archivo graph.php; o el par\u00e1metro (2 ) module o (3) file en el archivo include/Ajax/CommonAjax.php, accesible por medio de los archivos modules/Campaigns/CampaignsAjax.php, modules/SalesOrder/SalesOrderAjax.php, modules/System/SystemAjax.php, modules/Products/ProductsAjax.php, modules/uploads/uploadsAjax.php, modules/Dashboard/DashboardAjax.php, modules/Potentials/PotentialsAjax.php, modules/Notes/ NotesAjax.php, modules/Faq/FaqAjax.php, modules/Quotes/QuotesAjax.php, modules/Utilities/UtilitiesAjax.php, modules/Calendar/ActivityAjax.php, modules/Calendar/CalendarAjax.php, modules/PurchaseOrder/PurchaseOrderAjax.php, modules/ HelpDesk/HelpDeskAjax.php, modules/Invoice/InvoiceAjax.php, modules/Accounts/AccountsAjax.php, modules/Reports/ReportsAjax.php, modules/Contacts/ContactsAjax.php y modules/Portal/PortalAjax.php; y permitir que los usuarios autenticados remotos incluyan y ejecuten archivos locales arbitrarios por medio de un .. (punto punto) en el par\u00e1metro step en una acci\u00f3n Import en el m\u00f3dulo (4) Accounts, (5) Contacts, (6) HelpDesk, (7) Leads, (8) Potenciales, (9) Products, o (10) Vendors, accesible por medio del archivo index.php y relacionado al archivo modules/Import/index.php y m\u00faltiples archivos Import.php."
}
],
"id": "CVE-2009-3249",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2009-09-18T20:30:00.280",
"references": [
{
"source": "cve@mitre.org",
"url": "http://marc.info/?l=bugtraq\u0026m=125060676515670\u0026w=2"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/36309"
},
{
"source": "cve@mitre.org",
"url": "http://securityreason.com/securityalert/8118"
},
{
"source": "cve@mitre.org",
"url": "http://www.exploit-db.com/exploits/9450"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.osvdb.org/57239"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/36062"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.ush.it/2009/08/18/vtiger-crm-504-multiple-vulnerabilities/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/2319"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=125060676515670\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/36309"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/8118"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.exploit-db.com/exploits/9450"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.osvdb.org/57239"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/36062"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.ush.it/2009/08/18/vtiger-crm-504-multiple-vulnerabilities/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/2319"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-08-29 18:15
Modified
2024-09-03 18:33
Severity ?
9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
7.4 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
7.4 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
Summary
A reflected cross-site scripting (XSS) vulnerability in the tag parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://vtiger.com | Product | |
| cve@mitre.org | https://packetstormsecurity.com/files/180462/vTiger-CRM-7.4.0-Cross-Site-Scripting.html | Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | 7.4.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:7.4.0:-:*:*:*:*:*:*",
"matchCriteriaId": "3929CDEE-B429-4C81-B70A-1AC975979606",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A reflected cross-site scripting (XSS) vulnerability in the tag parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user\u0027s browser via injecting a crafted payload."
},
{
"lang": "es",
"value": "Una vulnerabilidad de Cross Site Scripting (XSS) reflejado en el par\u00e1metro de etiqueta en la p\u00e1gina de \u00edndice de vTiger CRM 7.4.0 permite a los atacantes ejecutar c\u00f3digo arbitrario en el contexto del navegador de un usuario mediante la inyecci\u00f3n de un payload especialmente manipulado."
}
],
"id": "CVE-2024-44777",
"lastModified": "2024-09-03T18:33:38.413",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.0,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-08-29T18:15:14.540",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "http://vtiger.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://packetstormsecurity.com/files/180462/vTiger-CRM-7.4.0-Cross-Site-Scripting.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2007-07-06 19:30
Modified
2025-04-09 00:30
Severity ?
Summary
SQL injection vulnerability in the dashboard (include/utils/SearchUtils.php) in vtiger CRM before 5.0.3 allows remote authenticated users to execute arbitrary SQL commands via the assigned_user_id parameter in a Potentials ListView action to index.php.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9E8668A7-60BA-45AA-A159-26890ADB6A0A",
"versionEndIncluding": "5.0.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in the dashboard (include/utils/SearchUtils.php) in vtiger CRM before 5.0.3 allows remote authenticated users to execute arbitrary SQL commands via the assigned_user_id parameter in a Potentials ListView action to index.php."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en el panel de control (include/utils/SearchUtils.php) en vtiger CRM versiones anteriores a 5.0.3 permite a usuarios remotos autenticados ejecutar comandos SQL de su elecci\u00f3n a trav\u00e9s del par\u00e1metro assigned_user_id en la acci\u00f3n Potentials ListView de index.php."
}
],
"id": "CVE-2007-3603",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2007-07-06T19:30:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://forums.vtiger.com/viewtopic.php?p=44717"
},
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/45782"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/10423"
},
{
"source": "cve@mitre.org",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
},
{
"source": "cve@mitre.org",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3196"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://forums.vtiger.com/viewtopic.php?p=44717"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/45782"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/10423"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3196"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-09-18 20:30
Modified
2025-04-09 00:30
Severity ?
Summary
Cross-site request forgery (CSRF) vulnerability in the RSS module in vtiger CRM 5.0.4 allows remote attackers to hijack the authentication of Admin users for requests that modify the news feed system via the rssurl parameter in a Save action to index.php.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | 5.0.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "84AE51A9-59AF-47F9-8AFC-5219505FD170",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in the RSS module in vtiger CRM 5.0.4 allows remote attackers to hijack the authentication of Admin users for requests that modify the news feed system via the rssurl parameter in a Save action to index.php."
},
{
"lang": "es",
"value": "Vulnerabilidad de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) en el m\u00f3dulo RSS de vtiger CRM v5.0.4, permite a atacantes remotos secuestrar la autenticaci\u00f3n de los usuarios Admin para solicitudes que modifican el sistema de fuentes de noticias a trav\u00e9s del par\u00e1metro rssurl en una acci\u00f3n Save -guardar- en index.php."
}
],
"id": "CVE-2009-3248",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2009-09-18T20:30:00.250",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://marc.info/?l=bugtraq\u0026m=125060676515670\u0026w=2"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/36309"
},
{
"source": "cve@mitre.org",
"url": "http://www.exploit-db.com/exploits/9450"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.osvdb.org/57238"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/36062"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.ush.it/2009/08/18/vtiger-crm-504-multiple-vulnerabilities/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/2319"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://marc.info/?l=bugtraq\u0026m=125060676515670\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/36309"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.exploit-db.com/exploits/9450"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.osvdb.org/57238"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/36062"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.ush.it/2009/08/18/vtiger-crm-504-multiple-vulnerabilities/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/2319"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-01-04 14:29
Modified
2024-11-21 04:44
Severity ?
Summary
Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension "php3" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using "<? ?>" tags, as demonstrated by a CompanyDetailsSave action. This bypasses the bad-file-extensions protection mechanism. It is related to actions/CompanyDetailsSave.php, actions/UpdateCompanyLogo.php, and models/CompanyDetails.php.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * | |
| vtiger | vtiger_crm | 7.1.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BEE12792-2E47-4921-B7A0-90CB6EEB8F1F",
"versionEndIncluding": "7.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:7.1.0:hotfix1:*:*:*:*:*:*",
"matchCriteriaId": "5EBD043D-53C6-4C4C-9D17-0CE7BEC3541C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension \"php3\" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using \"\u003c? ?\u003e\" tags, as demonstrated by a CompanyDetailsSave action. This bypasses the bad-file-extensions protection mechanism. It is related to actions/CompanyDetailsSave.php, actions/UpdateCompanyLogo.php, and models/CompanyDetails.php."
},
{
"lang": "es",
"value": "La versi\u00f3n 7.1.0 de Vtiger CRM anterior a Hotfix2 permite la subida de archivos con la extensi\u00f3n \"php3\" en el campo de subida de logos, si el archivo subido tiene el formato PNG y el tama\u00f1o de 150x40. Se puede introducir c\u00f3digo PHP en la imagen; este c\u00f3digo puede ejecutarse mediante etiquetas \"\", tal y como queda demostrado con una acci\u00f3n de CompanyDetailsSave. Esto omite el mecanismo de protecci\u00f3n de las extensiones de archivos maliciosos. Est\u00e1 relacionado con actions/CompanyDetailsSave.php, actions/UpdateCompanyLogo.php y models/CompanyDetails.php."
}
],
"id": "CVE-2019-5009",
"lastModified": "2024-11-21T04:44:10.700",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-01-04T14:29:00.237",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://code.vtiger.com/vtiger/vtigercrm/commit/52fc2fb520ddc55949c2fbedaabd61ddd0109375"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Vendor Advisory"
],
"url": "http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-January/037852.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://pentest.com.tr/exploits/Vtiger-CRM-7-1-0-Remote-Code-Execution.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/46065"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://code.vtiger.com/vtiger/vtigercrm/commit/52fc2fb520ddc55949c2fbedaabd61ddd0109375"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Vendor Advisory"
],
"url": "http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-January/037852.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://pentest.com.tr/exploits/Vtiger-CRM-7-1-0-Remote-Code-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/46065"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-09-18 21:30
Modified
2025-04-09 00:30
Severity ?
Summary
vtiger CRM before 5.1.0 allows remote authenticated users to bypass the permissions on the (1) Account Billing Address and (2) Shipping Address fields in a profile by creating a Sales Order (SO) associated with that profile.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://secunia.com/advisories/36309 | Third Party Advisory | |
| cve@mitre.org | http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5055 | Exploit, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://secunia.com/advisories/36309 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5055 | Exploit, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "42168098-4C0F-4AC4-B4C6-5C96784CB7FF",
"versionEndExcluding": "5.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "vtiger CRM before 5.1.0 allows remote authenticated users to bypass the permissions on the (1) Account Billing Address and (2) Shipping Address fields in a profile by creating a Sales Order (SO) associated with that profile."
},
{
"lang": "es",
"value": "vtiger CRM anteriores a v5.1.0 permite a usuarios remotos autenticados evitar los permisos de los campos (1) Cuenta de direcci\u00f3n de pago y (2) Direcci\u00f3n de env\u00edo en un perfil de Orden de Ventas (SO) asociado con aquel perfil."
}
],
"id": "CVE-2009-3257",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 3.6,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:S/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2009-09-18T21:30:00.907",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/36309"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5055"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/36309"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5055"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2005-11-26 02:03
Modified
2025-04-03 01:03
Severity ?
Summary
Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary SQL commands and bypass authentication via the (1) user_name and (2) date parameter in the HelpDesk module.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "136EE594-73FB-4218-921E-0F5BEEE9F23B",
"versionEndIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary SQL commands and bypass authentication via the (1) user_name and (2) date parameter in the HelpDesk module."
}
],
"id": "CVE-2005-3819",
"lastModified": "2025-04-03T01:03:51.193",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2005-11-26T02:03:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/17693"
},
{
"source": "cve@mitre.org",
"url": "http://securitytracker.com/id?1015271"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://www.hardened-php.net/advisory_232005.105.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.osvdb.org/21225"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/417730/30/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/15562"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2005/2569"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/17693"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securitytracker.com/id?1015271"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://www.hardened-php.net/advisory_232005.105.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/21225"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/417730/30/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/15562"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2005/2569"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2007-07-06 19:30
Modified
2025-04-09 00:30
Severity ?
Summary
vtiger CRM before 5.0.3 allows remote authenticated users with access to the Analytics DashBoard menu to bypass data restrictions and read the pipeline of the entire organization, possibly involving modules/Potentials/Potentials.php.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9E8668A7-60BA-45AA-A159-26890ADB6A0A",
"versionEndIncluding": "5.0.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "vtiger CRM before 5.0.3 allows remote authenticated users with access to the Analytics DashBoard menu to bypass data restrictions and read the pipeline of the entire organization, possibly involving modules/Potentials/Potentials.php."
},
{
"lang": "es",
"value": "vtiger CRM versiones anteriores a 5.0.3 permite a usuarios remotos autenticados con acceso al men\u00fa Analytics DashBoard evitar restricciones de datos y leer la lista de acciones pr\u00f3ximas de la organizaci\u00f3n entera, posiblemente involucrando modules/Potentials/Potentials.php."
}
],
"id": "CVE-2007-3604",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2007-07-06T19:30:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://forums.vtiger.com/viewtopic.php?p=44717"
},
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/45783"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/10423"
},
{
"source": "cve@mitre.org",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
},
{
"source": "cve@mitre.org",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3196"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://forums.vtiger.com/viewtopic.php?p=44717"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/45783"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/10423"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3196"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}