CVSS: 8.8EPSS: 0%CPEs: 25EXPL: 0CVE-2010-3909 – Vtiger CRM 5.2.0 Code Execution / Cross Site Scripting / Local File Inclusion
https://notcve.org/view.php?id=CVE-2010-3909
18 Nov 2010 — Incomplete blacklist vulnerability in config.template.php in vtiger CRM before 5.2.1 allows remote authenticated users to execute arbitrary code by using the draft save feature in the Compose Mail component to upload a file with a .phtml extension, and then accessing this file via a direct request to the file in the storage/ directory tree. Vulnerabilidad de la lista negra incompleta en config.template.php en vtiger CRM antes de v5.2.1 permite a usuarios remotos autenticados ejecutar código arbitrario media... • http://secunia.com/advisories/42246 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 0%CPEs: 23EXPL: 0CVE-2009-3258
https://notcve.org/view.php?id=CVE-2009-3258
18 Sep 2009 — vtiger CRM before 5.1.0 allows remote authenticated users, with certain View privileges, to delete (1) attachments, (2) reports, (3) filters, (4) views, and (5) tickets; insert (6) attachments, (7) reports, (8) filters, (9) views, and (10) tickets; and edit (11) reports, (12) filters, (13) views, and (14) tickets via unspecified vectors. vtiger CRM anteriores a v5.1.0 permite a usuarios autenticados, con algunos privilegios de Vista, borrar (1) adjuntos, (2) informes, (3) filtros, (4) Vistas, y (5) tickets;... • http://forums.vtiger.com/viewtopic.php?t=15094 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2009-3251
https://notcve.org/view.php?id=CVE-2009-3251
18 Sep 2009 — include/utils/ListViewUtils.php in vtiger CRM before 5.1.0 allows remote authenticated users to bypass intended access restrictions and read the (1) visibility, (2) location, and (3) recurrence fields of a calendar via a custom view. include/utils/ListViewUtils.php en vtiger CRM anteriores a 5.1.0 permite a usuarios remotos autenticados evitar las restricciones de acceso previstas y leer los campos (1) visibilidad, (2) localización, y (3) recurrencia de un calendario a través de una vista personalizada. • http://secunia.com/advisories/36309 • CWE-264: Permissions, Privileges, and Access Controls •