Total
59 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2010-3910 | 1 Vtiger | 1 Vtiger Crm | 2018-10-30 | 6.8 MEDIUM | N/A |
Multiple directory traversal vulnerabilities in the return_application_language function in include/utils/utils.php in vtiger CRM before 5.2.1 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the lang_crm parameter to phprint.php or (2) the current_language parameter in an Accounts Import action to graph.php. | |||||
CVE-2005-3820 | 1 Vtiger | 1 Vtiger Crm | 2018-10-19 | 6.4 MEDIUM | N/A |
Multiple directory traversal vulnerabilities in index.php in vTiger CRM 4.2 and earlier allow remote attackers to read or include arbitrary files, an ultimately execute arbitrary PHP code, via .. (dot dot) and null byte ("%00") sequences in the (1) module parameter and (2) action parameter in the Leads module, as also demonstrated by injecting PHP code into log messages and accessing the log file. | |||||
CVE-2005-3818 | 1 Vtiger | 1 Vtiger Crm | 2018-10-19 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) various input fields, including the contact, lead, and first or last name fields, (2) the record parameter in a DetailView action in the Leads module for index.php, (3) the $_SERVER['PHP_SELF'] variable, which is used in multiple locations such as index.php, and (4) aggregated RSS feeds in the RSS aggregation module. | |||||
CVE-2005-3823 | 1 Vtiger | 1 Vtiger Crm | 2018-10-19 | 7.5 HIGH | N/A |
The Users module in vTiger CRM 4.2 and earlier allows remote attackers to execute arbitrary PHP code via an arbitrary file in the templatename parameter, which is passed to the eval function. | |||||
CVE-2005-3819 | 1 Vtiger | 1 Vtiger Crm | 2018-10-19 | 7.5 HIGH | N/A |
Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary SQL commands and bypass authentication via the (1) user_name and (2) date parameter in the HelpDesk module. | |||||
CVE-2005-3824 | 1 Vtiger | 1 Vtiger Crm | 2018-10-19 | 5.0 MEDIUM | N/A |
The uploads module in vTiger CRM 4.2 and earlier allows remote attackers to upload arbitrary files, such as PHP files, via the add2db action. | |||||
CVE-2005-3821 | 1 Vtiger | 1 Vtiger Crm | 2018-10-19 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in vTiger CRM 4.2 and earlier allows remote attackers to inject arbitrary web script or HTML via multiple vectors, including the account name. | |||||
CVE-2005-3822 | 1 Vtiger | 1 Vtiger Crm | 2018-10-19 | 7.5 HIGH | N/A |
Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) username in the login form or (2) record parameter, as demonstrated in the EditView action for the Contacts module. | |||||
CVE-2006-5289 | 1 Vtiger | 1 Vtiger Crm | 2018-10-17 | 7.5 HIGH | N/A |
Multiple PHP remote file inclusion vulnerabilities in Vtiger CRM 4.2 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the calpath parameter to (1) modules/Calendar/admin/update.php, (2) modules/Calendar/admin/scheme.php, or (3) modules/Calendar/calendar.php. | |||||
CVE-2008-3101 | 1 Vtiger | 1 Vtiger Crm | 2018-10-11 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to inject arbitrary web script or HTML via (1) the parenttab parameter in an index action to the Products module, as reachable through index.php; (2) the user_password parameter in an Authenticate action to the Users module, as reachable through index.php; or (3) the query_string parameter in a UnifiedSearch action to the Home module, as reachable through index.php. | |||||
CVE-2014-1222 | 1 Vtiger | 1 Vtiger Crm | 2018-10-09 | 4.0 MEDIUM | N/A |
Directory traversal vulnerability in kcfinder/browse.php in Vtiger CRM before 6.0.0 Security patch 1 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter in a download action. NOTE: it is likely that this issue is actually in the KCFinder third-party component, and it affects additional products besides Vtiger CRM. | |||||
CVE-2011-4670 | 1 Vtiger | 1 Vtiger Crm | 2018-10-09 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 5.2.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) viewname parameter in a CalendarAjax action, (2) activity_mode parameter in a DetailView action, (3) contact_id and (4) parent_id parameters in an EditView action, (5) day, (6) month, (7) subtab, (8) view, and (9) viewOption parameters in the index action, and (10) start parameter in the ListView action to the Calendar module; (11) return_action and (12) return_module parameters in the EditView action, and (13) query parameter in an index action to the Campaigns module; (14) return_url and (15) workflow_id parameters in an editworkflow action to the com_vtiger_workflow module; (16) display_view parameter in an index action to the Dashboard module; (17) closingdate_end, (18) closingdate_start, (19) date_closed, (20) owner, (21) leadsource, (22) sales_stage, and (23) type parameters in a ListView action to the Potentials module; (24) folderid parameter in a SaveandRun action to the Reports module; (25) returnaction and (26) groupId parameters in a createnewgroup action, (27) mode and (28) parent parameters in a createrole action, (29) src_module in a ModuleManager action, (30) mode and (31) profile_id parameters in a profilePrivileges action, and (32) roleid parameter in a RoleDetailView to the Settings module; and (33) action parameter to the Home module and (34) module parameter to phprint.php. | |||||
CVE-2011-4559 | 1 Vtiger | 1 Vtiger Crm | 2018-10-09 | 7.5 HIGH | N/A |
SQL injection vulnerability in the Calendar module in vTiger CRM 5.2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php. | |||||
CVE-2016-1713 | 1 Vtiger | 1 Vtiger Crm | 2018-04-01 | 8.5 HIGH | 7.3 HIGH |
Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.4.0 allows remote authenticated users to execute arbitrary code by uploading a crafted image file with an executable extension, then accessing it via a direct request to the file in test/logo/. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6000. | |||||
CVE-2009-3257 | 1 Vtiger | 1 Vtiger Crm | 2017-12-07 | 3.6 LOW | N/A |
vtiger CRM before 5.1.0 allows remote authenticated users to bypass the permissions on the (1) Account Billing Address and (2) Shipping Address fields in a profile by creating a Sales Order (SO) associated with that profile. | |||||
CVE-2008-3458 | 1 Vtiger | 1 Vtiger Crm | 2017-11-22 | 5.0 MEDIUM | N/A |
Vtiger CRM before 5.0.4 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read mail merge templates via a direct request to the wordtemplatedownload directory. | |||||
CVE-2009-3251 | 1 Vtiger | 1 Vtiger Crm | 2017-11-22 | 4.0 MEDIUM | N/A |
include/utils/ListViewUtils.php in vtiger CRM before 5.1.0 allows remote authenticated users to bypass intended access restrictions and read the (1) visibility, (2) location, and (3) recurrence fields of a calendar via a custom view. | |||||
CVE-2011-4679 | 1 Vtiger | 1 Vtiger Crm | 2017-11-22 | 4.0 MEDIUM | N/A |
vtiger CRM before 5.3.0 does not properly recognize the disabled status of a field in the Leads module, which allows remote authenticated users to bypass intended access restrictions by reading a previously created report. | |||||
CVE-2014-2268 | 1 Vtiger | 1 Vtiger Crm | 2017-11-20 | 5.0 MEDIUM | N/A |
views/Index.php in the Install module in vTiger 6.0 before Security Patch 2 does not properly restrict access, which allows remote attackers to re-install the application via a request that sets the X-Requested-With HTTP header, as demonstrated by executing arbitrary PHP code via the db_name parameter. | |||||
CVE-2009-3248 | 1 Vtiger | 1 Vtiger Crm | 2017-09-18 | 6.8 MEDIUM | N/A |
Cross-site request forgery (CSRF) vulnerability in the RSS module in vtiger CRM 5.0.4 allows remote attackers to hijack the authentication of Admin users for requests that modify the news feed system via the rssurl parameter in a Save action to index.php. |