RSS   Vulnerabilities for 'Vtiger crm'   RSS

2021-01-20
 
CVE-2020-19363

CWE-200
 

 
Vtiger CRM v7.2.0 allows an attacker to display hidden files, list directories by using /libraries and /layout directories.

 
 
CVE-2020-19362

CWE-79
 

 
Reflected XSS in Vtiger CRM v7.2.0 in vtigercrm/index.php? through the view parameter can result in an attacker performing malicious actions to users who open a maliciously crafted link or third-party web page.

 
2020-02-07
 
CVE-2013-3591

CWE-434
 

 
vTiger CRM 5.3 and 5.4: 'files' Upload Folder Arbitrary PHP Code Execution Vulnerability

 
2020-02-06
 
CVE-2015-6000

CWE-434
 

 
Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.3.0 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in test/logo/.

 
2020-01-29
 
CVE-2013-3215

CWE-287
 

 
vtiger CRM 5.4.0 and earlier contain an Authentication Bypass Vulnerability due to improper authentication validation in the validateSession function.

 
2020-01-28
 
CVE-2013-3214

CWE-74
 

 
vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in 'vtigerolservice.php'.

 
 
CVE-2013-3212

CWE-74
 

 
vtiger CRM 5.4.0 and earlier contain local file-include vulnerabilities in 'customerportal.php' which allows remote attackers to view files and execute local script code.

 
2019-11-21
 
CVE-2019-19202

CWE-276
 

 
In Vtiger 7.x before 7.2.0, the My Preferences saving functionality allows a user without administrative privileges to change his own role by adding roleid=H2 to a POST request.

 
2019-06-06
 
CVE-2018-8047

CWE-79
 

 
vtiger CRM 7.0.1 is affected by one reflected Cross-Site Scripting (XSS) vulnerability affecting version 7.0.1 and probably prior versions. This vulnerability could allow remote unauthenticated attackers to inject arbitrary web script or HTML via index.php?module=Contacts&view=List (app parameter).

 
2019-05-24
 
CVE-2016-10754

CWE-89
 

 
modules/Calendar/Activity.php in Vtiger CRM 6.5.0 allows SQL injection via the contactidlist parameter.

 


Copyright 2024, cxsecurity.com

 

Back to Top