CVSS: 7.5EPSS: 0%CPEs: 12EXPL: 3CVE-2013-3213 – vTiger CRM 5.4.0 SOAP - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-3213
Multiple SQL injection vulnerabilities in vTiger CRM 5.0.0 through 5.4.0 allow remote attackers to execute arbitrary SQL commands via the (1) picklist_name parameter in the get_picklists method to soap/customerportal.php, (2) where parameter in the get_tickets_list method to soap/customerportal.php, or (3) emailaddress parameter in the SearchContactsByEmail method to soap/vtigerolservice.php; or remote authenticated users to execute arbitrary SQL commands via the (4) emailaddress parameter in the SearchContactsByEmail method to soap/thunderbirdplugin.php. Múltiples vulnerabilidades inyección SQL en vTiger CRM 5.0.0 hasta 5.4.0 permiten a atacantes remotos ejecutar comandos SQL arbitrarios a través del (1) parámetro picklist_name en el método get_picklists hacia soap/customerportal.php, (2) parámetro where en el método get_tickets_list hacia soap/customerportal.php o (3) parámetro emailaddress en el método SearchContactsByEmail hacia soap/vtigerolservice.php; o usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través del (4) parámetro emailaddress en el método SearchContactsByEmail hacia soap/thunderbirdplugin.php. • https://www.exploit-db.com/exploits/27279 http://archives.neohapsis.com/archives/bugtraq/2013-08/0001.html http://karmainsecurity.com/KIS-2013-06 http://www.securityfocus.com/bid/61563 https://exchange.xforce.ibmcloud.com/vulnerabilities/86129 https://www.vtiger.com/blogs/?p=1467 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.1EPSS: 7%CPEs: 1EXPL: 2CVE-2013-3212 – vTiger CRM 5.4.0 SOAP - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-3212
vtiger CRM 5.4.0 and earlier contain local file-include vulnerabilities in 'customerportal.php' which allows remote attackers to view files and execute local script code. vtiger CRM versiones 5.4.0 y anteriores, contienen vulnerabilidades de inclusión de archivo local en el archivo "customerportal.php" que permite a atacantes remotos visualizar archivos y ejecutar código de script local. • https://www.exploit-db.com/exploits/27279 http://www.exploit-db.com/exploits/27279 http://www.securityfocus.com/bid/61560 https://exchange.xforce.ibmcloud.com/vulnerabilities/86162 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 9.8EPSS: 83%CPEs: 1EXPL: 4CVE-2013-3214 – vTiger CRM 5.4.0 SOAP - AddEmailAttachment Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2013-3214
vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in 'vtigerolservice.php'. vtiger CRM versiones 5.4.0 y anteriores, contiene una vulnerabilidad de inyección de código PHP en el archivo "vtigerolservice.php". • https://www.exploit-db.com/exploits/30787 https://www.exploit-db.com/exploits/27279 https://github.com/shadofren/CVE-2013-3214 http://www.exploit-db.com/exploits/30787 http://www.securityfocus.com/bid/61558 https://exchange.xforce.ibmcloud.com/vulnerabilities/86164 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 3CVE-2012-4867 – vTiger CRM 5.1.0 - Local File Inclusion
https://notcve.org/view.php?id=CVE-2012-4867
Directory traversal vulnerability in modules/com_vtiger_workflow/sortfieldsjson.php in vtiger CRM 5.1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the module_name parameter. Vulnerabilidad de directorio transversal en modules/com_vtiger_workflow/sortfieldsjson.php en vtiger CRM v5.1.0 permite a atacantes remotos leer archivos de su elección a través de .. (punto punto) en el parámetro module_name. • https://www.exploit-db.com/exploits/18770 http://packetstormsecurity.org/files/111075/Vtiger-5.1.0-Local-File-Inclusion.html http://www.exploit-db.com/exploits/18635 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 2CVE-2011-4679
https://notcve.org/view.php?id=CVE-2011-4679
vtiger CRM before 5.3.0 does not properly recognize the disabled status of a field in the Leads module, which allows remote authenticated users to bypass intended access restrictions by reading a previously created report. vtiger CRM antes de v5.3.0 no reconoce adecuadamente el estado deshabilitado de un campo en el módulo Leads, lo que permite a usuarios autenticados remotamente evitar restricciones de acceso intencionadas leyendo un informe previamente creado. • http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/7003 http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/7004 http://wiki.vtiger.com/index.php/Oct2011:ODUpdate • CWE-264: Permissions, Privileges, and Access Controls •