Multiple Cross Site Scripting (XSS) Vulnerabilities in vtigerCRM 5.0.4

Risk: Low
Local: Yes
Remote: Yes

CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Multiple Cross Site Scripting (XSS) Vulnerabilities in vtigerCRM 5.0.4, CVE-2008-3101 References Description vtigerCRM is a Open Source Customer Relationship Management (CRM) Software. The application is vulnerable to simple Cross Site Scripting, which can be used for several isues Example Assuming vtigerCRM is installed on http://localhost/vtigercrm/, one can inject JavaScript with: http://localhost/vtigercrm/index.php?module=Products&action=index&parenttab="><script>alert(1);</script> http://localhost/vtigercrm/index.php?module=Users&action=Authenticate&user_password="><script>alert(1);</script> http://localhost/vtigercrm/index.php?module=Home&action=UnifiedSearch&query_string="><script>alert(1);</script> Workaround/Fix vtiger CRM Security Patch for 5.0.4 [1] Disclosure Timeline 2008-07-28 Vendor contacted 2008-07-28 Vendor fixed issue in test environment 2008-07-30 Vender released patch 2008-07-30 Vendor dev statet they'll release a second patch within days 2008-09-01 published advisory, no second patch from upstream yet CVE Information The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-3101 to this issue. This is a candidate for inclusion in the CVE list (, which standardizes names for security problems. Credits and copyright This vulnerability was discovered by Fabian Fingerle [2] (published with help from Hanno Boeck [3]). It's licensed under the creative commons attribution license [4]. Fabian Fingerle, 2008-09-01


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024,


Back to Top