Vulnerabilities > Vtiger > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-09-14 | CVE-2023-38891 | SQL Injection vulnerability in Vtiger CRM 7.5.0 SQL injection vulnerability in Vtiger CRM v.7.5.0 allows a remote authenticated attacker to escalate privileges via the getQueryColumnsList function in ReportRun.php. | 8.8 |
| 2020-02-07 | CVE-2013-3591 | Unrestricted Upload of File with Dangerous Type vulnerability in Vtiger CRM 5.3.0/5.4.0 vTiger CRM 5.3 and 5.4: 'files' Upload Folder Arbitrary PHP Code Execution Vulnerability | 8.8 |
| 2020-02-06 | CVE-2015-6000 | Unrestricted Upload of File with Dangerous Type vulnerability in Vtiger CRM Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.3.0 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in test/logo/. | 8.8 |
| 2020-01-28 | CVE-2013-3212 | Injection vulnerability in Vtiger CRM vtiger CRM 5.4.0 and earlier contain local file-include vulnerabilities in 'customerportal.php' which allows remote attackers to view files and execute local script code. | 8.1 |
| 2019-11-21 | CVE-2019-19202 | Incorrect Default Permissions vulnerability in Vtiger CRM 7.0/7.0.1/7.1.0 In Vtiger 7.x before 7.2.0, the My Preferences saving functionality allows a user without administrative privileges to change his own role by adding roleid=H2 to a POST request. | 8.8 |
| 2019-05-24 | CVE-2016-10754 | SQL Injection vulnerability in Vtiger CRM 6.5.0 modules/Calendar/Activity.php in Vtiger CRM 6.5.0 allows SQL injection via the contactidlist parameter. | 8.8 |
| 2019-05-17 | CVE-2019-11057 | SQL Injection vulnerability in Vtiger CRM SQL injection vulnerability in Vtiger CRM before 7.1.0 hotfix3 allows authenticated users to execute arbitrary SQL commands. | 8.8 |
| 2019-01-04 | CVE-2019-5009 | Unrestricted Upload of File with Dangerous Type vulnerability in Vtiger CRM Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension "php3" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. | 7.2 |
| 2017-04-14 | CVE-2016-1713 | Unrestricted Upload of File with Dangerous Type vulnerability in Vtiger CRM 6.4.0 Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.4.0 allows remote authenticated users to execute arbitrary code by uploading a crafted image file with an executable extension, then accessing it via a direct request to the file in test/logo/. | 7.3 |
| 2016-08-01 | CVE-2016-4834 | Permissions, Privileges, and Access Controls vulnerability in Vtiger CRM modules/Users/actions/Save.php in Vtiger CRM 6.4.0 and earlier does not properly restrict user-save actions, which allows remote authenticated users to create or modify user accounts via unspecified vectors. | 8.1 |