CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-38335
https://notcve.org/view.php?id=CVE-2022-38335
Vtiger CRM v7.4.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the e-mail template modules. Se ha detectado que Vtiger CRM versión v7.4.0, contiene una vulnerabilidad de tipo cross-site scripting (XSS) almacenado por medio de los módulos e-mail template • https://code.vtiger.com/vtiger/vtigercrm https://github.com/sbaresearch/advisories/tree/public/2022/SBA-ADV-20220328-01_Vtiger_CRM_Stored_Cross-Site_Scripting https://www.vtiger.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-22807
https://notcve.org/view.php?id=CVE-2020-22807
An issue was dicovered in vtiger crm 7.2. Union sql injection in the calendar exportdata feature. Se detectó un problema en vtiger crm versión 7.2. Una Inyección sql de unión en la funcionalidad calendar exportdata. • https://cloud.tencent.com/developer/article/1612208 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-19363
https://notcve.org/view.php?id=CVE-2020-19363
Vtiger CRM v7.2.0 allows an attacker to display hidden files, list directories by using /libraries and /layout directories. Vtiger CRM versión v7.2.0, permite a un atacante mostrar archivos ocultos, listar directorios al usar los directorios /libraries y /layout • https://emreovunc.com/blog/en/vtiger_crm_directorylisting_01.png https://emreovunc.com/blog/en/vtiger_crm_directorylisting_02.png https://github.com/EmreOvunc/Vtiger-CRM-Vulnerabilities • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-19362
https://notcve.org/view.php?id=CVE-2020-19362
Reflected XSS in Vtiger CRM v7.2.0 in vtigercrm/index.php? through the view parameter can result in an attacker performing malicious actions to users who open a maliciously crafted link or third-party web page. Una vulnerabilidad de tipo XSS reflejado en Vtiger CRM versión v7.2.0, en el archivo vtigercrm/index.php? mediante el parámetro view puede resultar en que un atacante lleve a cabo acciones maliciosas para usuarios que abren un vínculo diseñado malicioso o una página web de terceros • https://emreovunc.com/blog/en/vtiger_crm_xss_03.png https://github.com/EmreOvunc/Vtiger-CRM-Vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-19202
https://notcve.org/view.php?id=CVE-2019-19202
In Vtiger 7.x before 7.2.0, the My Preferences saving functionality allows a user without administrative privileges to change his own role by adding roleid=H2 to a POST request. En Vtiger versiones 7.x anteriores a 7.2.0, la funcionalidad de guardado en My Preferences permite a un usuario sin privilegios administrativos cambiar su propio rol agregando roleid=H2 a una petición POST. • http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-April/037964.html https://code.vtiger.com/vtiger/vtigercrm/issues/1126 • CWE-276: Incorrect Default Permissions •