CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 3CVE-2008-3101 – vTiger CRM 5.0.4 - Multiple Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2008-3101
Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to inject arbitrary web script or HTML via (1) the parenttab parameter in an index action to the Products module, as reachable through index.php; (2) the user_password parameter in an Authenticate action to the Users module, as reachable through index.php; or (3) the query_string parameter in a UnifiedSearch action to the Home module, as reachable through index.php. Multiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en vtiger CRM 5.0.4 permiten a atacantes remotos inyectar web script o HTML a través del parámetro (1) parenttab en una acción index del módulo Products, como se llega a través de index.php; (2) el parámetro user_password en una acción Authenticate del módulo Users, como se llega a través de index.php; o (3) el parámetro query_string en una acción UnifiedSearch del módulo Home, como se llega a través de index.php. vtigerCRM version 5.0.4 suffers from multiple cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/32307 http://secunia.com/advisories/31679 http://securityreason.com/securityalert/4208 http://www.datensalat.eu/~fabian/cve/CVE-2008-3101-vtigerCRM.html http://www.securityfocus.com/archive/1/495885/100/0/threaded http://www.securityfocus.com/bid/30951 http://www.vtiger.de/vtiger-crm/downloads/patches.html?tx_abdownloads_pi1%5Baction%5D=getviewdetailsfordownload&tx_abdownloads_pi1%5Buid%5D=128&tx_abdownloads_pi1%5Bcategory_uid%5D=5&cHash=e16be773a5 http:// • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 1CVE-2008-3458
https://notcve.org/view.php?id=CVE-2008-3458
Vtiger CRM before 5.0.4 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read mail merge templates via a direct request to the wordtemplatedownload directory. Vtiger CRM versiones anteriores a 5.0.4 almacena información sensible bajo la raíz web con insuficiente control de acceso, lo cual permite a atacantes remotos leer plantillas combinadas de mail a través de una petición directa al directorio wordtemplatedownload. • http://secunia.com/advisories/28370 http://sourceforge.net/project/shownotes.php?release_id=567189 http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/11811 http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2107 http://wiki.vtiger.com/index.php/Vtiger_CRM_5.0.4_-_Release_Notes http://www.osvdb.org/40218 http://www.securityfocus.com/bid/27228 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0CVE-2007-3604
https://notcve.org/view.php?id=CVE-2007-3604
vtiger CRM before 5.0.3 allows remote authenticated users with access to the Analytics DashBoard menu to bypass data restrictions and read the pipeline of the entire organization, possibly involving modules/Potentials/Potentials.php. vtiger CRM versiones anteriores a 5.0.3 permite a usuarios remotos autenticados con acceso al menú Analytics DashBoard evitar restricciones de datos y leer la lista de acciones próximas de la organización entera, posiblemente involucrando modules/Potentials/Potentials.php. • http://forums.vtiger.com/viewtopic.php?p=44717 http://osvdb.org/45783 http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/10423 http://trac.vtiger.com/cgi-bin/trac.cgi/report/9 http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3196 •
CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0CVE-2007-3617
https://notcve.org/view.php?id=CVE-2007-3617
The report module in vtiger CRM before 5.0.3 does not properly apply security rules, which allows remote authenticated users to read arbitrary private module entries. El módulo informe en vtiger CRM versiones anteriores a 5.0.3 no aplica apropiadamente las reglas de seguridad, lo cual permite a usuarios remotos autenticados leer entradas de módulo privadas de su elección. • http://osvdb.org/45804 http://trac.vtiger.com/cgi-bin/trac.cgi/report/9 http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2692 •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2007-3602
https://notcve.org/view.php?id=CVE-2007-3602
The SOAP webservice in vtiger CRM before 5.0.3 does not ensure that authenticated accounts are active, which allows remote authenticated users with inactive accounts to access and modify data, as demonstrated by the Thunderbird plugin. El servicio web SOAP en vtiger CRM versiones anteriores a 5.0.3 no asegura que cuentas autenticadas estén activas, lo cual permite a atacantes remotos con cuentas inactivas acceder y modificar datos, como se demuestra con el plugin de Thunderbird. • http://forums.vtiger.com/viewtopic.php?p=44233 http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/10245 http://trac.vtiger.com/cgi-bin/trac.cgi/report/9 http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3084 •