cbcvebase.

Vtiger Crm vulnerabilities

72 known vulnerabilities affecting vtiger/vtiger_crm.

Total CVEs
72
CISA KEV
0
Public exploits
24
Exploited in wild
2
Severity breakdown
CRITICAL8HIGH24MEDIUM38LOW2

Vulnerabilities

Page 4 of 4
CVE-2007-3600P4MEDIUMCVSS 4.0≤ 5.0.22007-07-06
CVE-2007-3600 [MEDIUM] CVE-2007-3600: WordPlugin in the wordintegration component in vtiger CRM before 5.0.3 allows remote authenticated u WordPlugin in the wordintegration component in vtiger CRM before 5.0.3 allows remote authenticated users to bypass field level security permissions and merge arbitrary fields in an Email template, as demonstrated by the fields in the Contact module.
nvd
CVE-2013-7326P4MEDIUMCVSS 4.3v5.4.02014-02-14
CVE-2013-7326 [MEDIUM] CWE-79 CVE-2013-7326: Cross-site scripting (XSS) vulnerability in vTiger CRM 5.4.0 allows remote attackers to inject arbit Cross-site scripting (XSS) vulnerability in vTiger CRM 5.4.0 allows remote attackers to inject arbitrary web script or HTML via the (1) return_url parameter to modules\com_vtiger_workflow\savetemplate.php, or unspecified vectors to (2) deletetask.php, (3) edittask.php, (4) savetask.php, or (5) saveworkflow.php.
nvd
CVE-2007-3598P4MEDIUMCVSS 5.5≤ 5.0.22007-07-06
CVE-2007-3598 [MEDIUM] CVE-2007-3598: index.php in vtiger CRM before 5.0.3 allows remote authenticated users to obtain all users' names an index.php in vtiger CRM before 5.0.3 allows remote authenticated users to obtain all users' names and e-mail addresses, and possibly change user settings, via a modified record parameter in a DetailView action to the Users module. NOTE: the vendor disputes the changing of settings, reporting that the attack vector results in a "You are not permitted to execut
nvd
CVE-2007-3617P4MEDIUMCVSS 4.0≤ 5.0.22007-07-06
CVE-2007-3617 [MEDIUM] CVE-2007-3617: The report module in vtiger CRM before 5.0.3 does not properly apply security rules, which allows re The report module in vtiger CRM before 5.0.3 does not properly apply security rules, which allows remote authenticated users to read arbitrary private module entries.
nvd
CVE-2011-4679P4MEDIUMCVSS 4.0fixed in 5.3.02011-12-07
CVE-2011-4679 [MEDIUM] CWE-264 CVE-2011-4679: vtiger CRM before 5.3.0 does not properly recognize the disabled status of a field in the Leads modu vtiger CRM before 5.3.0 does not properly recognize the disabled status of a field in the Leads module, which allows remote authenticated users to bypass intended access restrictions by reading a previously created report.
nvd
CVE-2005-3821P4MEDIUMCVSS 4.3≤ 4.22005-11-26
CVE-2005-3821 [MEDIUM] CVE-2005-3821: Cross-site scripting (XSS) vulnerability in vTiger CRM 4.2 and earlier allows remote attackers to in Cross-site scripting (XSS) vulnerability in vTiger CRM 4.2 and earlier allows remote attackers to inject arbitrary web script or HTML via multiple vectors, including the account name.
nvd
CVE-2011-4680P4MEDIUMCVSS 4.3≤ 5.1.0v1.0+17 more2011-12-07
CVE-2011-4680 [MEDIUM] CWE-79 CVE-2011-4680: Multiple cross-site scripting (XSS) vulnerabilities in the customer portal in vtiger CRM before 5.2. Multiple cross-site scripting (XSS) vulnerabilities in the customer portal in vtiger CRM before 5.2.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
nvd
CVE-2007-3604P4MEDIUMCVSS 4.0≤ 5.0.22007-07-06
CVE-2007-3604 [MEDIUM] CVE-2007-3604: vtiger CRM before 5.0.3 allows remote authenticated users with access to the Analytics DashBoard men vtiger CRM before 5.0.3 allows remote authenticated users with access to the Analytics DashBoard menu to bypass data restrictions and read the pipeline of the entire organization, possibly involving modules/Potentials/Potentials.php.
nvd
CVE-2010-3911P4MEDIUMCVSS 4.3≤ 5.2.0v1.0+16 more2010-11-26
CVE-2010-3911 [MEDIUM] CWE-79 CVE-2010-3911: Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM before 5.2.1 allow remote attacker Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM before 5.2.1 allow remote attackers to inject arbitrary web script or HTML via (1) the username (aka default_user_name) field or (2) the password field in a Users Login action to index.php, or (3) the label parameter in a Settings GetFieldInfo action to index.php, related to modules/Sett
nvd
CVE-2009-3251P4MEDIUMCVSS 4.0≤ 5.1.02009-09-18
CVE-2009-3251 [MEDIUM] CWE-264 CVE-2009-3251: include/utils/ListViewUtils.php in vtiger CRM before 5.1.0 allows remote authenticated users to bypa include/utils/ListViewUtils.php in vtiger CRM before 5.1.0 allows remote authenticated users to bypass intended access restrictions and read the (1) visibility, (2) location, and (3) recurrence fields of a calendar via a custom view.
nvd
CVE-2009-3257P4LOWCVSS 3.6fixed in 5.1.02009-09-18
CVE-2009-3257 [LOW] CWE-264 CVE-2009-3257: vtiger CRM before 5.1.0 allows remote authenticated users to bypass the permissions on the (1) Accou vtiger CRM before 5.1.0 allows remote authenticated users to bypass the permissions on the (1) Account Billing Address and (2) Shipping Address fields in a profile by creating a Sales Order (SO) associated with that profile.
nvd
CVE-2007-3601P4LOWCVSS 2.1≤ 5.0.22007-07-06
CVE-2007-3601 [LOW] CVE-2007-3601: vtiger CRM before 5.0.3, when a migrated build is used, allows remote authenticated users to read ce vtiger CRM before 5.0.3, when a migrated build is used, allows remote authenticated users to read certain other users' calendar activities via a (1) home page or (2) event list view.
nvd
Vtiger Crm vulnerabilities | cvebase