Vtiger Crm vulnerabilities
72 known vulnerabilities affecting vtiger/vtiger_crm.
Total CVEs
72
CISA KEV
0
Public exploits
24
Exploited in wild
2
Severity breakdown
CRITICAL8HIGH24MEDIUM38LOW2
Vulnerabilities
Page 3 of 4
CVE-2009-3258P3CRITICALCVSS 9.0v1.0v2.0+15 more2009-09-18
CVE-2009-3258 [CRITICAL] CWE-264 CVE-2009-3258: vtiger CRM before 5.1.0 allows remote authenticated users, with certain View privileges, to delete (
vtiger CRM before 5.1.0 allows remote authenticated users, with certain View privileges, to delete (1) attachments, (2) reports, (3) filters, (4) views, and (5) tickets; insert (6) attachments, (7) reports, (8) filters, (9) views, and (10) tickets; and edit (11) reports, (12) filters, (13) views, and (14) tickets via unspecified vectors.
nvd
CVE-2005-3822P3HIGHCVSS 7.5≤ 4.22005-11-26
CVE-2005-3822 [HIGH] CVE-2005-3822: Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to execu
Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) username in the login form or (2) record parameter, as demonstrated in the EditView action for the Contacts module.
nvd
CVE-2005-3823P4HIGHCVSS 7.5≤ 4.22005-11-26
CVE-2005-3823 [HIGH] CVE-2005-3823: The Users module in vTiger CRM 4.2 and earlier allows remote attackers to execute arbitrary PHP code
The Users module in vTiger CRM 4.2 and earlier allows remote attackers to execute arbitrary PHP code via an arbitrary file in the templatename parameter, which is passed to the eval function.
nvd
CVE-2010-3909P4MEDIUMCVSS 6.0≤ 5.2.0v1.0+16 more2010-11-26
CVE-2010-3909 [MEDIUM] CWE-94 CVE-2010-3909: Incomplete blacklist vulnerability in config.template.php in vtiger CRM before 5.2.1 allows remote a
Incomplete blacklist vulnerability in config.template.php in vtiger CRM before 5.2.1 allows remote authenticated users to execute arbitrary code by using the draft save feature in the Compose Mail component to upload a file with a .phtml extension, and then accessing this file via a direct request to the file in the storage/ directory tree.
nvd
CVE-2025-1618P4MEDIUMCVSS 6.1≥ 6.4.0, < 7.02025-02-24
CVE-2025-1618 [MEDIUM] CWE-79 CVE-2025-1618: A vulnerability has been found in vTiger CRM 6.4.0/6.5.0 and classified as problematic. This vulnera
A vulnerability has been found in vTiger CRM 6.4.0/6.5.0 and classified as problematic. This vulnerability affects unknown code of the file /modules/Mobile/index.php. The manipulation of the argument _operation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to
nvd
CVE-2007-3599P4HIGHCVSS 8.5≤ 5.0.22007-07-06
CVE-2007-3599 [HIGH] CVE-2007-3599: vtiger CRM before 5.0.3 allows remote authenticated users to import and export the information for a
vtiger CRM before 5.0.3 allows remote authenticated users to import and export the information for a contact even when they only have the View permission.
nvd
CVE-2008-3458P4MEDIUMCVSS 5.0≤ 5.0.32008-08-04
CVE-2008-3458 [MEDIUM] CWE-200 CVE-2008-3458: Vtiger CRM before 5.0.4 stores sensitive information under the web root with insufficient access con
Vtiger CRM before 5.0.4 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read mail merge templates via a direct request to the wordtemplatedownload directory.
nvd
CVE-2005-3820P4MEDIUMCVSS 6.4≤ 4.22005-11-26
CVE-2005-3820 [MEDIUM] CVE-2005-3820: Multiple directory traversal vulnerabilities in index.php in vTiger CRM 4.2 and earlier allow remote
Multiple directory traversal vulnerabilities in index.php in vTiger CRM 4.2 and earlier allow remote attackers to read or include arbitrary files, an ultimately execute arbitrary PHP code, via .. (dot dot) and null byte ("%00") sequences in the (1) module parameter and (2) action parameter in the Leads module, as also demonstrated by injecting PHP code into l
nvd
CVE-2007-3603P4MEDIUMCVSS 6.5≤ 5.0.22007-07-06
CVE-2007-3603 [MEDIUM] CVE-2007-3603: SQL injection vulnerability in the dashboard (include/utils/SearchUtils.php) in vtiger CRM before 5.
SQL injection vulnerability in the dashboard (include/utils/SearchUtils.php) in vtiger CRM before 5.0.3 allows remote authenticated users to execute arbitrary SQL commands via the assigned_user_id parameter in a Potentials ListView action to index.php.
nvd
CVE-2007-3616P4MEDIUMCVSS 6.5≤ 5.0.22007-07-06
CVE-2007-3616 [MEDIUM] CVE-2007-3616: index.php in vtiger CRM before 5.0.3 allows remote authenticated users to perform administrative cha
index.php in vtiger CRM before 5.0.3 allows remote authenticated users to perform administrative changes to arbitrary profile settings via a certain profilePrivileges action in the Users module.
nvd
CVE-2005-3824P4MEDIUMCVSS 5.0≤ 4.22005-11-26
CVE-2005-3824 [MEDIUM] CVE-2005-3824: The uploads module in vTiger CRM 4.2 and earlier allows remote attackers to upload arbitrary files,
The uploads module in vTiger CRM 4.2 and earlier allows remote attackers to upload arbitrary files, such as PHP files, via the add2db action.
nvd
CVE-2025-45755P4MEDIUMCVSS 6.1v8.3.02025-05-21
CVE-2025-45755 [MEDIUM] CWE-79 CVE-2025-45755: A Stored Cross-Site Scripting (XSS) vulnerability exists in Vtiger CRM Open Source Edition v8.3.0, e
A Stored Cross-Site Scripting (XSS) vulnerability exists in Vtiger CRM Open Source Edition v8.3.0, exploitable via the Services Import feature. An attacker can craft a malicious CSV file containing an XSS payload, mapped to the Service Name field. When the file is uploaded, the application improperly sanitizes user input, leading to persistent script
nvd
CVE-2024-48119P4MEDIUMCVSS 5.4v8.2.02024-10-14
CVE-2024-48119 [MEDIUM] CWE-79 CVE-2024-48119: Vtiger CRM v8.2.0 has a HTML Injection vulnerability in the module parameter. Authenticated users ca
Vtiger CRM v8.2.0 has a HTML Injection vulnerability in the module parameter. Authenticated users can inject arbitrary HTML.
nvd
CVE-2018-8047P4MEDIUMCVSS 6.1≤ 7.0.12019-06-06
CVE-2018-8047 [MEDIUM] CWE-79 CVE-2018-8047: vtiger CRM 7.0.1 is affected by one reflected Cross-Site Scripting (XSS) vulnerability affecting ver
vtiger CRM 7.0.1 is affected by one reflected Cross-Site Scripting (XSS) vulnerability affecting version 7.0.1 and probably prior versions. This vulnerability could allow remote unauthenticated attackers to inject arbitrary web script or HTML via index.php?module=Contacts&view=List (app parameter).
nvd
CVE-2020-19362P4MEDIUMCVSS 6.1v7.2.02021-01-20
CVE-2020-19362 [MEDIUM] CWE-79 CVE-2020-19362: Reflected XSS in Vtiger CRM v7.2.0 in vtigercrm/index.php? through the view parameter can result in
Reflected XSS in Vtiger CRM v7.2.0 in vtigercrm/index.php? through the view parameter can result in an attacker performing malicious actions to users who open a maliciously crafted link or third-party web page.
nvd
CVE-2022-38335P4MEDIUMCVSS 5.4≤ 7.4.02022-09-27
CVE-2022-38335 [MEDIUM] CWE-79 CVE-2022-38335: Vtiger CRM v7.4.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via th
Vtiger CRM v7.4.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the e-mail template modules.
nvd
CVE-2024-54687P4MEDIUMCVSS 6.1≤ 6.12025-01-10
CVE-2024-54687 [MEDIUM] CWE-79 CVE-2024-54687: Vtiger CRM v.6.1 and before is vulnerable to Cross Site Scripting (XSS) via the Documents module and
Vtiger CRM v.6.1 and before is vulnerable to Cross Site Scripting (XSS) via the Documents module and function uploadAndSaveFile in CRMEntity.php.
nvd
CVE-2024-44776P4MEDIUMCVSS 6.1v7.4.02024-08-29
CVE-2024-44776 [MEDIUM] CWE-601 CVE-2024-44776: An Open Redirect vulnerability in the page parameter of vTiger CRM v7.4.0 allows attackers to redire
An Open Redirect vulnerability in the page parameter of vTiger CRM v7.4.0 allows attackers to redirect users to a malicious site via a crafted URL.
nvd
CVE-2007-3602P4MEDIUMCVSS 5.5≤ 5.0.22007-07-06
CVE-2007-3602 [MEDIUM] CVE-2007-3602: The SOAP webservice in vtiger CRM before 5.0.3 does not ensure that authenticated accounts are activ
The SOAP webservice in vtiger CRM before 5.0.3 does not ensure that authenticated accounts are active, which allows remote authenticated users with inactive accounts to access and modify data, as demonstrated by the Thunderbird plugin.
nvd
CVE-2006-4587P4MEDIUMCVSS 6.8v4.2v4.2.42006-09-06
CVE-2006-4587 [MEDIUM] CVE-2006-4587: Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM 4.2.4, and possibly earlier, allow
Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM 4.2.4, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) description parameter in unspecified modules or the (2) solution parameter in the HelpDesk module.
nvd