CVSS: 7.5EPSS: 0%CPEs: 20EXPL: 4CVE-2011-4559 – vTiger CRM 5.2 - 'onlyforuser' SQL Injection
https://notcve.org/view.php?id=CVE-2011-4559
SQL injection vulnerability in the Calendar module in vTiger CRM 5.2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php. Vulnerabilidad de inyección SQL en el módulo de calendario en vTiger CRM v5.2.1 y anteriores permite a atacantes remotos ejecutar comandos SQL a través del parámetro onlyforuser en una acción índice a index.php. • https://www.exploit-db.com/exploits/36208 http://osvdb.org/76138 http://seclists.org/fulldisclosure/2011/Oct/224 http://www.securityfocus.com/archive/1/520006/100/0/threaded http://www.securityfocus.com/bid/49948 http://yehg.net/lab/pr0js/advisories/%5BvTiger_5.2.1%5D_blind_sqlin https://exchange.xforce.ibmcloud.com/vulnerabilities/70344 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.8EPSS: 1%CPEs: 24EXPL: 0CVE-2010-3910 – Vtiger CRM 5.2.0 Code Execution / Cross Site Scripting / Local File Inclusion
https://notcve.org/view.php?id=CVE-2010-3910
Multiple directory traversal vulnerabilities in the return_application_language function in include/utils/utils.php in vtiger CRM before 5.2.1 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the lang_crm parameter to phprint.php or (2) the current_language parameter in an Accounts Import action to graph.php. Múltiples vulnerabilidades de salto de directorio en la función return_application_language en include/utils/utils.php en vtiger CRM anterior a v5.2.1 permite a atacantes remotos incluir y ejecutar archivos locales a través de un .. (punto punto) en (1) el parámetro lang_crm a phprint.php o (2) el parámetro current_language en una acción Accounts Import a graph.php. Vtiger CRM 5.2.0 suffers from code execution, cross site scripting and local file inclusion vulnerabilities. • http://secunia.com/advisories/42246 http://vtiger.com/blogs/2010/11/16/vtiger-crm-521-is-released http://wiki.vtiger.com/index.php/Vtiger521:Release_Notes http://www.securityfocus.com/archive/1/514846/100/0/threaded http://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 0%CPEs: 24EXPL: 0CVE-2010-3911 – Vtiger CRM 5.2.0 Code Execution / Cross Site Scripting / Local File Inclusion
https://notcve.org/view.php?id=CVE-2010-3911
Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM before 5.2.1 allow remote attackers to inject arbitrary web script or HTML via (1) the username (aka default_user_name) field or (2) the password field in a Users Login action to index.php, or (3) the label parameter in a Settings GetFieldInfo action to index.php, related to modules/Settings/GetFieldInfo.php. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados en vtiger CRM anterior a v5.2.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del campo (1) nombre de usuario (también conocido como default_user_name) o (2) el campo contraseña en una acción User Login a index.php, o (3) el parámetro etiqueta en una acción Settings GetFieldInfo a index.php, reaccionado con modules/Settings/GetFieldInfo.php. Vtiger CRM 5.2.0 suffers from code execution, cross site scripting and local file inclusion vulnerabilities. • http://secunia.com/advisories/42246 http://vtiger.com/blogs/2010/11/16/vtiger-crm-521-is-released http://wiki.vtiger.com/index.php/Vtiger521:Release_Notes http://www.securityfocus.com/archive/1/514846/100/0/threaded http://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.0EPSS: 1%CPEs: 25EXPL: 0CVE-2010-3909 – Vtiger CRM 5.2.0 Code Execution / Cross Site Scripting / Local File Inclusion
https://notcve.org/view.php?id=CVE-2010-3909
Incomplete blacklist vulnerability in config.template.php in vtiger CRM before 5.2.1 allows remote authenticated users to execute arbitrary code by using the draft save feature in the Compose Mail component to upload a file with a .phtml extension, and then accessing this file via a direct request to the file in the storage/ directory tree. Vulnerabilidad de la lista negra incompleta en config.template.php en vtiger CRM antes de v5.2.1 permite a usuarios remotos autenticados ejecutar código arbitrario mediante la característica de guardado de borrador en el componente Compose Mail para cargar un archivo con extensión .phtml, y luego acceder a este archivo a través de una solicitud directa al archivo en el almacenamiento / árbol de directorios. Vtiger CRM 5.2.0 suffers from code execution, cross site scripting and local file inclusion vulnerabilities. • http://secunia.com/advisories/42246 http://vtiger.com/blogs/2010/11/16/vtiger-crm-521-is-released http://wiki.vtiger.com/index.php/Vtiger521:Release_Notes http://www.securityfocus.com/archive/1/514846/100/0/threaded http://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 3.6EPSS: 0%CPEs: 1EXPL: 1CVE-2009-3257
https://notcve.org/view.php?id=CVE-2009-3257
vtiger CRM before 5.1.0 allows remote authenticated users to bypass the permissions on the (1) Account Billing Address and (2) Shipping Address fields in a profile by creating a Sales Order (SO) associated with that profile. vtiger CRM anteriores a v5.1.0 permite a usuarios remotos autenticados evitar los permisos de los campos (1) Cuenta de dirección de pago y (2) Dirección de envío en un perfil de Orden de Ventas (SO) asociado con aquel perfil. • http://secunia.com/advisories/36309 http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5055 • CWE-264: Permissions, Privileges, and Access Controls •