CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2009-3251
https://notcve.org/view.php?id=CVE-2009-3251
18 Sep 2009 — include/utils/ListViewUtils.php in vtiger CRM before 5.1.0 allows remote authenticated users to bypass intended access restrictions and read the (1) visibility, (2) location, and (3) recurrence fields of a calendar via a custom view. include/utils/ListViewUtils.php en vtiger CRM anteriores a 5.1.0 permite a usuarios remotos autenticados evitar las restricciones de acceso previstas y leer los campos (1) visibilidad, (2) localización, y (3) recurrencia de un calendario a través de una vista personalizada. • http://secunia.com/advisories/36309 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 6CVE-2009-3247 – vTiger CRM 5.0.4 - Remote Code Execution / Cross-Site Request Forgery / Local File Inclusion / Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2009-3247
18 Sep 2009 — Cross-site scripting (XSS) vulnerability in the Activities module in vtiger CRM 5.0.4 allows remote attackers to inject arbitrary web script or HTML via the action parameter to phprint.php. NOTE: the query_string vector is already covered by CVE-2008-3101.3. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en el módulo Activities en vtiger CRM v5.0.4, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través del parámetro "action" al phprint... • https://www.exploit-db.com/exploits/9450 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 3CVE-2008-3101 – vTiger CRM 5.0.4 - Multiple Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2008-3101
03 Sep 2008 — Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to inject arbitrary web script or HTML via (1) the parenttab parameter in an index action to the Products module, as reachable through index.php; (2) the user_password parameter in an Authenticate action to the Users module, as reachable through index.php; or (3) the query_string parameter in a UnifiedSearch action to the Home module, as reachable through index.php. Multiples vulnerabilidades de secuencias de coma... • https://www.exploit-db.com/exploits/32307 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 1CVE-2008-3458
https://notcve.org/view.php?id=CVE-2008-3458
04 Aug 2008 — Vtiger CRM before 5.0.4 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read mail merge templates via a direct request to the wordtemplatedownload directory. Vtiger CRM versiones anteriores a 5.0.4 almacena información sensible bajo la raíz web con insuficiente control de acceso, lo cual permite a atacantes remotos leer plantillas combinadas de mail a través de una petición directa al directorio wordtemplatedownload. • http://secunia.com/advisories/28370 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2007-3598
https://notcve.org/view.php?id=CVE-2007-3598
06 Jul 2007 — index.php in vtiger CRM before 5.0.3 allows remote authenticated users to obtain all users' names and e-mail addresses, and possibly change user settings, via a modified record parameter in a DetailView action to the Users module. NOTE: the vendor disputes the changing of settings, reporting that the attack vector results in a "You are not permitted to execute this Operation" error message in a 5.0.3 demo. index.php de vtiger CRM versiones anteriores a 5.0.3 permite a usuarios remotos autenticados obtener t... • http://forums.vtiger.com/viewtopic.php?p=38609 •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2007-3602
https://notcve.org/view.php?id=CVE-2007-3602
06 Jul 2007 — The SOAP webservice in vtiger CRM before 5.0.3 does not ensure that authenticated accounts are active, which allows remote authenticated users with inactive accounts to access and modify data, as demonstrated by the Thunderbird plugin. El servicio web SOAP en vtiger CRM versiones anteriores a 5.0.3 no asegura que cuentas autenticadas estén activas, lo cual permite a atacantes remotos con cuentas inactivas acceder y modificar datos, como se demuestra con el plugin de Thunderbird. • http://forums.vtiger.com/viewtopic.php?p=44233 •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2007-3599
https://notcve.org/view.php?id=CVE-2007-3599
06 Jul 2007 — vtiger CRM before 5.0.3 allows remote authenticated users to import and export the information for a contact even when they only have the View permission. vtiger CRM versiones anteriores a 5.0.3 permite a usuarios remotos autenticados importar y exportar la información de un contacto incluso cuando solamente disponen de permiso Ver. • http://osvdb.org/45781 •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2007-3600
https://notcve.org/view.php?id=CVE-2007-3600
06 Jul 2007 — WordPlugin in the wordintegration component in vtiger CRM before 5.0.3 allows remote authenticated users to bypass field level security permissions and merge arbitrary fields in an Email template, as demonstrated by the fields in the Contact module. WordPlugin en el componente wordintegration de vtiger CRM versiones anteriores a 5.0.3 permite a usuarios remotos autenticados evitar permisos de seguridad a nivel de campo y mezclar ficheros de su elección en una plantilla de correo electrónico, como se demuest... • http://osvdb.org/45784 •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2007-3601
https://notcve.org/view.php?id=CVE-2007-3601
06 Jul 2007 — vtiger CRM before 5.0.3, when a migrated build is used, allows remote authenticated users to read certain other users' calendar activities via a (1) home page or (2) event list view. vtiger CRM versiones anteriores a 5.0.3, cuando se utiliza una versión migrada, permite a usuarios remotos autenticados leer determinadas actividades de calendario de otros usuarios mediante (1) una página de inicio ó (2) una vista de lista de eventos. • http://osvdb.org/45785 •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2007-3603
https://notcve.org/view.php?id=CVE-2007-3603
06 Jul 2007 — SQL injection vulnerability in the dashboard (include/utils/SearchUtils.php) in vtiger CRM before 5.0.3 allows remote authenticated users to execute arbitrary SQL commands via the assigned_user_id parameter in a Potentials ListView action to index.php. Vulnerabilidad de inyección SQL en el panel de control (include/utils/SearchUtils.php) en vtiger CRM versiones anteriores a 5.0.3 permite a usuarios remotos autenticados ejecutar comandos SQL de su elección a través del parámetro assigned_user_id en la acción... • http://forums.vtiger.com/viewtopic.php?p=44717 •