Filtered by vendor Vtiger
Subscribe
Total
60 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2013-7326 | 1 Vtiger | 1 Vtiger Crm | 2024-02-14 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in vTiger CRM 5.4.0 allows remote attackers to inject arbitrary web script or HTML via the (1) return_url parameter to modules\com_vtiger_workflow\savetemplate.php, or unspecified vectors to (2) deletetask.php, (3) edittask.php, (4) savetask.php, or (5) saveworkflow.php. | |||||
| CVE-2023-38891 | 1 Vtiger | 1 Vtiger Crm | 2023-12-10 | N/A | 8.8 HIGH |
| SQL injection vulnerability in Vtiger CRM v.7.5.0 allows a remote authenticated attacker to escalate privileges via the getQueryColumnsList function in ReportRun.php. | |||||
| CVE-2022-38335 | 1 Vtiger | 1 Vtiger Crm | 2023-12-10 | N/A | 5.4 MEDIUM |
| Vtiger CRM v7.4.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the e-mail template modules. | |||||
| CVE-2020-22807 | 1 Vtiger | 1 Vtiger Crm | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was dicovered in vtiger crm 7.2. Union sql injection in the calendar exportdata feature. | |||||
| CVE-2020-19363 | 1 Vtiger | 1 Vtiger Crm | 2023-12-10 | 4.3 MEDIUM | 6.5 MEDIUM |
| Vtiger CRM v7.2.0 allows an attacker to display hidden files, list directories by using /libraries and /layout directories. | |||||
| CVE-2020-19362 | 1 Vtiger | 1 Vtiger Crm | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected XSS in Vtiger CRM v7.2.0 in vtigercrm/index.php? through the view parameter can result in an attacker performing malicious actions to users who open a maliciously crafted link or third-party web page. | |||||
| CVE-2013-3591 | 1 Vtiger | 1 Vtiger Crm | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| vTiger CRM 5.3 and 5.4: 'files' Upload Folder Arbitrary PHP Code Execution Vulnerability | |||||
| CVE-2013-3215 | 1 Vtiger | 1 Vtiger Crm | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| vtiger CRM 5.4.0 and earlier contain an Authentication Bypass Vulnerability due to improper authentication validation in the validateSession function. | |||||
| CVE-2013-3214 | 1 Vtiger | 1 Vtiger Crm | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in 'vtigerolservice.php'. | |||||
| CVE-2015-6000 | 1 Vtiger | 1 Vtiger Crm | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.3.0 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in test/logo/. | |||||
| CVE-2013-3212 | 1 Vtiger | 1 Vtiger Crm | 2023-12-10 | 6.8 MEDIUM | 8.1 HIGH |
| vtiger CRM 5.4.0 and earlier contain local file-include vulnerabilities in 'customerportal.php' which allows remote attackers to view files and execute local script code. | |||||
| CVE-2019-19202 | 1 Vtiger | 1 Vtiger Crm | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| In Vtiger 7.x before 7.2.0, the My Preferences saving functionality allows a user without administrative privileges to change his own role by adding roleid=H2 to a POST request. | |||||
| CVE-2016-10754 | 1 Vtiger | 1 Vtiger Crm | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| modules/Calendar/Activity.php in Vtiger CRM 6.5.0 allows SQL injection via the contactidlist parameter. | |||||
| CVE-2018-8047 | 1 Vtiger | 1 Vtiger Crm | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| vtiger CRM 7.0.1 is affected by one reflected Cross-Site Scripting (XSS) vulnerability affecting version 7.0.1 and probably prior versions. This vulnerability could allow remote unauthenticated attackers to inject arbitrary web script or HTML via index.php?module=Contacts&view=List (app parameter). | |||||
| CVE-2019-11057 | 1 Vtiger | 1 Vtiger Crm | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in Vtiger CRM before 7.1.0 hotfix3 allows authenticated users to execute arbitrary SQL commands. | |||||
| CVE-2019-5009 | 1 Vtiger | 1 Vtiger Crm | 2023-12-10 | 6.5 MEDIUM | 7.2 HIGH |
| Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension "php3" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using "<? ?>" tags, as demonstrated by a CompanyDetailsSave action. This bypasses the bad-file-extensions protection mechanism. It is related to actions/CompanyDetailsSave.php, actions/UpdateCompanyLogo.php, and models/CompanyDetails.php. | |||||
| CVE-2016-1713 | 1 Vtiger | 1 Vtiger Crm | 2023-12-10 | 8.5 HIGH | 7.3 HIGH |
| Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.4.0 allows remote authenticated users to execute arbitrary code by uploading a crafted image file with an executable extension, then accessing it via a direct request to the file in test/logo/. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6000. | |||||
| CVE-2016-4834 | 1 Vtiger | 1 Vtiger Crm | 2023-12-10 | 5.5 MEDIUM | 8.1 HIGH |
| modules/Users/actions/Save.php in Vtiger CRM 6.4.0 and earlier does not properly restrict user-save actions, which allows remote authenticated users to create or modify user accounts via unspecified vectors. | |||||
| CVE-2014-2268 | 1 Vtiger | 1 Vtiger Crm | 2023-12-10 | 5.0 MEDIUM | N/A |
| views/Index.php in the Install module in vTiger 6.0 before Security Patch 2 does not properly restrict access, which allows remote attackers to re-install the application via a request that sets the X-Requested-With HTTP header, as demonstrated by executing arbitrary PHP code via the db_name parameter. | |||||
| CVE-2013-3213 | 1 Vtiger | 1 Vtiger Crm | 2023-12-10 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in vTiger CRM 5.0.0 through 5.4.0 allow remote attackers to execute arbitrary SQL commands via the (1) picklist_name parameter in the get_picklists method to soap/customerportal.php, (2) where parameter in the get_tickets_list method to soap/customerportal.php, or (3) emailaddress parameter in the SearchContactsByEmail method to soap/vtigerolservice.php; or remote authenticated users to execute arbitrary SQL commands via the (4) emailaddress parameter in the SearchContactsByEmail method to soap/thunderbirdplugin.php. | |||||