CVSS: 8.8EPSS: 0%CPEs: 25EXPL: 0CVE-2010-3909
https://notcve.org/view.php?id=CVE-2010-3909
26 Nov 2010 — Incomplete blacklist vulnerability in config.template.php in vtiger CRM before 5.2.1 allows remote authenticated users to execute arbitrary code by using the draft save feature in the Compose Mail component to upload a file with a .phtml extension, and then accessing this file via a direct request to the file in the storage/ directory tree. Vulnerabilidad de la lista negra incompleta en config.template.php en vtiger CRM antes de v5.2.1 permite a usuarios remotos autenticados ejecutar código arbitrario media... • http://secunia.com/advisories/42246 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 24EXPL: 0CVE-2010-3911
https://notcve.org/view.php?id=CVE-2010-3911
26 Nov 2010 — Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM before 5.2.1 allow remote attackers to inject arbitrary web script or HTML via (1) the username (aka default_user_name) field or (2) the password field in a Users Login action to index.php, or (3) the label parameter in a Settings GetFieldInfo action to index.php, related to modules/Settings/GetFieldInfo.php. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados en vtiger CRM anterior a v5.2.1 permite a atacante... • http://secunia.com/advisories/42246 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 1%CPEs: 24EXPL: 0CVE-2010-3910
https://notcve.org/view.php?id=CVE-2010-3910
26 Nov 2010 — Multiple directory traversal vulnerabilities in the return_application_language function in include/utils/utils.php in vtiger CRM before 5.2.1 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the lang_crm parameter to phprint.php or (2) the current_language parameter in an Accounts Import action to graph.php. Múltiples vulnerabilidades de salto de directorio en la función return_application_language en include/utils/utils.php en vtiger CRM anterior a v5.2.1 permi... • http://secunia.com/advisories/42246 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.0EPSS: 0%CPEs: 23EXPL: 0CVE-2009-3258
https://notcve.org/view.php?id=CVE-2009-3258
18 Sep 2009 — vtiger CRM before 5.1.0 allows remote authenticated users, with certain View privileges, to delete (1) attachments, (2) reports, (3) filters, (4) views, and (5) tickets; insert (6) attachments, (7) reports, (8) filters, (9) views, and (10) tickets; and edit (11) reports, (12) filters, (13) views, and (14) tickets via unspecified vectors. vtiger CRM anteriores a v5.1.0 permite a usuarios autenticados, con algunos privilegios de Vista, borrar (1) adjuntos, (2) informes, (3) filtros, (4) Vistas, y (5) tickets;... • http://forums.vtiger.com/viewtopic.php?t=15094 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2009-3257
https://notcve.org/view.php?id=CVE-2009-3257
18 Sep 2009 — vtiger CRM before 5.1.0 allows remote authenticated users to bypass the permissions on the (1) Account Billing Address and (2) Shipping Address fields in a profile by creating a Sales Order (SO) associated with that profile. vtiger CRM anteriores a v5.1.0 permite a usuarios remotos autenticados evitar los permisos de los campos (1) Cuenta de dirección de pago y (2) Dirección de envío en un perfil de Orden de Ventas (SO) asociado con aquel perfil. • http://secunia.com/advisories/36309 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2009-3251
https://notcve.org/view.php?id=CVE-2009-3251
18 Sep 2009 — include/utils/ListViewUtils.php in vtiger CRM before 5.1.0 allows remote authenticated users to bypass intended access restrictions and read the (1) visibility, (2) location, and (3) recurrence fields of a calendar via a custom view. include/utils/ListViewUtils.php en vtiger CRM anteriores a 5.1.0 permite a usuarios remotos autenticados evitar las restricciones de acceso previstas y leer los campos (1) visibilidad, (2) localización, y (3) recurrencia de un calendario a través de una vista personalizada. • http://secunia.com/advisories/36309 • CWE-264: Permissions, Privileges, and Access Controls •