CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0CVE-2009-3251
https://notcve.org/view.php?id=CVE-2009-3251
include/utils/ListViewUtils.php in vtiger CRM before 5.1.0 allows remote authenticated users to bypass intended access restrictions and read the (1) visibility, (2) location, and (3) recurrence fields of a calendar via a custom view. include/utils/ListViewUtils.php en vtiger CRM anteriores a 5.1.0 permite a usuarios remotos autenticados evitar las restricciones de acceso previstas y leer los campos (1) visibilidad, (2) localización, y (3) recurrencia de un calendario a través de una vista personalizada. • http://secunia.com/advisories/36309 http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/12407 http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/4208 http://www.osvdb.org/57241 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 6CVE-2009-3247 – vTiger CRM 5.0.4 - Remote Code Execution / Cross-Site Request Forgery / Local File Inclusion / Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2009-3247
Cross-site scripting (XSS) vulnerability in the Activities module in vtiger CRM 5.0.4 allows remote attackers to inject arbitrary web script or HTML via the action parameter to phprint.php. NOTE: the query_string vector is already covered by CVE-2008-3101.3. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en el módulo Activities en vtiger CRM v5.0.4, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través del parámetro "action" al phprint.php. NOTA: el vector query_String actualmente está reportado en el CVE-2008-3101. • https://www.exploit-db.com/exploits/9450 http://secunia.com/advisories/36309 http://www.exploit-db.com/exploits/9450 http://www.osvdb.org/57240 http://www.securityfocus.com/bid/36062 http://www.ush.it/2009/08/18/vtiger-crm-504-multiple-vulnerabilities http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt http://www.vupen.com/english/advisories/2009/2319 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 5%CPEs: 1EXPL: 7CVE-2009-3249 – vTiger CRM 5.0.4 - Remote Code Execution / Cross-Site Request Forgery / Local File Inclusion / Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2009-3249
Multiple directory traversal vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the module parameter to graph.php; or the (2) module or (3) file parameter to include/Ajax/CommonAjax.php, reachable through modules/Campaigns/CampaignsAjax.php, modules/SalesOrder/SalesOrderAjax.php, modules/System/SystemAjax.php, modules/Products/ProductsAjax.php, modules/uploads/uploadsAjax.php, modules/Dashboard/DashboardAjax.php, modules/Potentials/PotentialsAjax.php, modules/Notes/NotesAjax.php, modules/Faq/FaqAjax.php, modules/Quotes/QuotesAjax.php, modules/Utilities/UtilitiesAjax.php, modules/Calendar/ActivityAjax.php, modules/Calendar/CalendarAjax.php, modules/PurchaseOrder/PurchaseOrderAjax.php, modules/HelpDesk/HelpDeskAjax.php, modules/Invoice/InvoiceAjax.php, modules/Accounts/AccountsAjax.php, modules/Reports/ReportsAjax.php, modules/Contacts/ContactsAjax.php, and modules/Portal/PortalAjax.php; and allow remote authenticated users to include and execute arbitrary local files via a .. (dot dot) in the step parameter in an Import action to the (4) Accounts, (5) Contacts, (6) HelpDesk, (7) Leads, (8) Potentials, (9) Products, or (10) Vendors module, reachable through index.php and related to modules/Import/index.php and multiple Import.php files. Múltiples vulnerabilidades de salto de directorio en vtiger CRM versión 5.0.4, permiten a los atacantes remotos incluir y ejecutar archivos locales arbitrarios por medio de un .. (punto punto) en (1) el parámetro module en el archivo graph.php; o el parámetro (2 ) module o (3) file en el archivo include/Ajax/CommonAjax.php, accesible por medio de los archivos modules/Campaigns/CampaignsAjax.php, modules/SalesOrder/SalesOrderAjax.php, modules/System/SystemAjax.php, modules/Products/ProductsAjax.php, modules/uploads/uploadsAjax.php, modules/Dashboard/DashboardAjax.php, modules/Potentials/PotentialsAjax.php, modules/Notes/ NotesAjax.php, modules/Faq/FaqAjax.php, modules/Quotes/QuotesAjax.php, modules/Utilities/UtilitiesAjax.php, modules/Calendar/ActivityAjax.php, modules/Calendar/CalendarAjax.php, modules/PurchaseOrder/PurchaseOrderAjax.php, modules/ HelpDesk/HelpDeskAjax.php, modules/Invoice/InvoiceAjax.php, modules/Accounts/AccountsAjax.php, modules/Reports/ReportsAjax.php, modules/Contacts/ContactsAjax.php y modules/Portal/PortalAjax.php; y permitir que los usuarios autenticados remotos incluyan y ejecuten archivos locales arbitrarios por medio de un .. • https://www.exploit-db.com/exploits/9450 https://www.exploit-db.com/exploits/16280 http://marc.info/?l=bugtraq&m=125060676515670&w=2 http://secunia.com/advisories/36309 http://securityreason.com/securityalert/8118 http://www.exploit-db.com/exploits/9450 http://www.osvdb.org/57239 http://www.securityfocus.com/bid/36062 http://www.ush.it/2009/08/18/vtiger-crm-504-multiple-vulnerabilities http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt http:// • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 3CVE-2008-3101 – vTiger CRM 5.0.4 - Multiple Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2008-3101
Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to inject arbitrary web script or HTML via (1) the parenttab parameter in an index action to the Products module, as reachable through index.php; (2) the user_password parameter in an Authenticate action to the Users module, as reachable through index.php; or (3) the query_string parameter in a UnifiedSearch action to the Home module, as reachable through index.php. Multiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en vtiger CRM 5.0.4 permiten a atacantes remotos inyectar web script o HTML a través del parámetro (1) parenttab en una acción index del módulo Products, como se llega a través de index.php; (2) el parámetro user_password en una acción Authenticate del módulo Users, como se llega a través de index.php; o (3) el parámetro query_string en una acción UnifiedSearch del módulo Home, como se llega a través de index.php. vtigerCRM version 5.0.4 suffers from multiple cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/32307 http://secunia.com/advisories/31679 http://securityreason.com/securityalert/4208 http://www.datensalat.eu/~fabian/cve/CVE-2008-3101-vtigerCRM.html http://www.securityfocus.com/archive/1/495885/100/0/threaded http://www.securityfocus.com/bid/30951 http://www.vtiger.de/vtiger-crm/downloads/patches.html?tx_abdownloads_pi1%5Baction%5D=getviewdetailsfordownload&tx_abdownloads_pi1%5Buid%5D=128&tx_abdownloads_pi1%5Bcategory_uid%5D=5&cHash=e16be773a5 http:// • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 1CVE-2008-3458
https://notcve.org/view.php?id=CVE-2008-3458
Vtiger CRM before 5.0.4 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read mail merge templates via a direct request to the wordtemplatedownload directory. Vtiger CRM versiones anteriores a 5.0.4 almacena información sensible bajo la raíz web con insuficiente control de acceso, lo cual permite a atacantes remotos leer plantillas combinadas de mail a través de una petición directa al directorio wordtemplatedownload. • http://secunia.com/advisories/28370 http://sourceforge.net/project/shownotes.php?release_id=567189 http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/11811 http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2107 http://wiki.vtiger.com/index.php/Vtiger_CRM_5.0.4_-_Release_Notes http://www.osvdb.org/40218 http://www.securityfocus.com/bid/27228 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •