Vulnerabilities > Vtiger > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-09-14 | CVE-2023-38891 | SQL Injection vulnerability in Vtiger CRM 7.5.0 SQL injection vulnerability in Vtiger CRM v.7.5.0 allows a remote authenticated attacker to escalate privileges via the getQueryColumnsList function in ReportRun.php. | 8.8 |
| 2021-04-29 | CVE-2020-22807 | SQL Injection vulnerability in Vtiger CRM 7.2.0 An issue was dicovered in vtiger crm 7.2. | 7.5 |
| 2020-01-29 | CVE-2013-3215 | Improper Authentication vulnerability in Vtiger CRM vtiger CRM 5.4.0 and earlier contain an Authentication Bypass Vulnerability due to improper authentication validation in the validateSession function. | 7.5 |
| 2020-01-28 | CVE-2013-3214 | Injection vulnerability in Vtiger CRM vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in 'vtigerolservice.php'. | 7.5 |
| 2019-05-17 | CVE-2019-11057 | SQL Injection vulnerability in Vtiger CRM SQL injection vulnerability in Vtiger CRM before 7.1.0 hotfix3 allows authenticated users to execute arbitrary SQL commands. | 8.8 |
| 2017-04-14 | CVE-2016-1713 | Unrestricted Upload of File with Dangerous Type vulnerability in Vtiger CRM 6.4.0 Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.4.0 allows remote authenticated users to execute arbitrary code by uploading a crafted image file with an executable extension, then accessing it via a direct request to the file in test/logo/. | 8.5 |
| 2014-04-02 | CVE-2013-3213 | SQL Injection vulnerability in Vtiger CRM Multiple SQL injection vulnerabilities in vTiger CRM 5.0.0 through 5.4.0 allow remote attackers to execute arbitrary SQL commands via the (1) picklist_name parameter in the get_picklists method to soap/customerportal.php, (2) where parameter in the get_tickets_list method to soap/customerportal.php, or (3) emailaddress parameter in the SearchContactsByEmail method to soap/vtigerolservice.php; or remote authenticated users to execute arbitrary SQL commands via the (4) emailaddress parameter in the SearchContactsByEmail method to soap/thunderbirdplugin.php. | 7.5 |
| 2011-11-28 | CVE-2011-4559 | SQL Injection vulnerability in Vtiger CRM SQL injection vulnerability in the Calendar module in vTiger CRM 5.2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php. | 7.5 |
| 2009-09-18 | CVE-2009-3249 | Path Traversal vulnerability in Vtiger CRM 5.0.4 Multiple directory traversal vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to include and execute arbitrary local files via a .. | 7.5 |
| 2007-07-06 | CVE-2007-3599 | Remote Security vulnerability in vtiger CRM vtiger CRM before 5.0.3 allows remote authenticated users to import and export the information for a contact even when they only have the View permission. | 8.5 |