CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-38335
https://notcve.org/view.php?id=CVE-2022-38335
27 Sep 2022 — Vtiger CRM v7.4.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the e-mail template modules. Se ha detectado que Vtiger CRM versión v7.4.0, contiene una vulnerabilidad de tipo cross-site scripting (XSS) almacenado por medio de los módulos e-mail template • https://code.vtiger.com/vtiger/vtigercrm • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-22807
https://notcve.org/view.php?id=CVE-2020-22807
29 Apr 2021 — An issue was dicovered in vtiger crm 7.2. Union sql injection in the calendar exportdata feature. Se detectó un problema en vtiger crm versión 7.2. Una Inyección sql de unión en la funcionalidad calendar exportdata. • https://cloud.tencent.com/developer/article/1612208 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-19363
https://notcve.org/view.php?id=CVE-2020-19363
20 Jan 2021 — Vtiger CRM v7.2.0 allows an attacker to display hidden files, list directories by using /libraries and /layout directories. Vtiger CRM versión v7.2.0, permite a un atacante mostrar archivos ocultos, listar directorios al usar los directorios /libraries y /layout • https://emreovunc.com/blog/en/vtiger_crm_directorylisting_01.png • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-19362
https://notcve.org/view.php?id=CVE-2020-19362
20 Jan 2021 — Reflected XSS in Vtiger CRM v7.2.0 in vtigercrm/index.php? through the view parameter can result in an attacker performing malicious actions to users who open a maliciously crafted link or third-party web page. Una vulnerabilidad de tipo XSS reflejado en Vtiger CRM versión v7.2.0, en el archivo vtigercrm/index.php? mediante el parámetro view puede resultar en que un atacante lleve a cabo acciones maliciosas para usuarios que abren un vínculo diseñado malicioso o una página web de terceros • https://emreovunc.com/blog/en/vtiger_crm_xss_03.png • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-19202
https://notcve.org/view.php?id=CVE-2019-19202
21 Nov 2019 — In Vtiger 7.x before 7.2.0, the My Preferences saving functionality allows a user without administrative privileges to change his own role by adding roleid=H2 to a POST request. En Vtiger versiones 7.x anteriores a 7.2.0, la funcionalidad de guardado en My Preferences permite a un usuario sin privilegios administrativos cambiar su propio rol agregando roleid=H2 a una petición POST. • http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-April/037964.html • CWE-276: Incorrect Default Permissions •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-8047
https://notcve.org/view.php?id=CVE-2018-8047
06 Jun 2019 — vtiger CRM 7.0.1 is affected by one reflected Cross-Site Scripting (XSS) vulnerability affecting version 7.0.1 and probably prior versions. This vulnerability could allow remote unauthenticated attackers to inject arbitrary web script or HTML via index.php?module=Contacts&view=List (app parameter). vtiger CRM 7.0.1 está afectado por una vulnerabilidad reflejada de secuencias de comandos entre sitios (XSS) que afecta a la versión 7.0.1 y probablemente a las versiones anteriores. Esta vulnerabilidad podría pe... • https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2018-001 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2016-10754
https://notcve.org/view.php?id=CVE-2016-10754
24 May 2019 — modules/Calendar/Activity.php in Vtiger CRM 6.5.0 allows SQL injection via the contactidlist parameter. En Vtiger CRM versión 6.5.0, el archivo modules/Calendar/Activity.php permite la inyección de SQL por medio del parámetro contactidlist. • https://blog.ripstech.com/2016/vtiger-sql-injection • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 1CVE-2019-11057
https://notcve.org/view.php?id=CVE-2019-11057
17 May 2019 — SQL injection vulnerability in Vtiger CRM before 7.1.0 hotfix3 allows authenticated users to execute arbitrary SQL commands. La vulnerabilidad de la inyección de SQL en Vtiger CRM antes de la revisión 7.1.03 permite a los usuarios autenticados ejecutar comandos SQL arbitrarios. • http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-April/037964.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: 7%CPEs: 2EXPL: 2CVE-2019-5009 – Vtiger CRM 7.1.0 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2019-5009
04 Jan 2019 — Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension "php3" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using "<? ?>" tags, as demonstrated by a CompanyDetailsSave action. This bypasses the bad-file-extensions protection mechanism. • https://www.exploit-db.com/exploits/46065 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 3CVE-2016-1713 – Vtiger CRM 6.3.0 - (Authenticated) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2016-1713
14 Apr 2017 — Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.4.0 allows remote authenticated users to execute arbitrary code by uploading a crafted image file with an executable extension, then accessing it via a direct request to the file in test/logo/. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6000. Vulnerabilidad de subida de archivos sin restricciones en Vtger CRM 6.... • https://www.exploit-db.com/exploits/44379 • CWE-434: Unrestricted Upload of File with Dangerous Type •