Vulnerabilities > Vtiger > Vtiger CRM > 5.4.0
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2014-11-16 | CVE-2014-2268 | Permissions, Privileges, and Access Controls vulnerability in Vtiger CRM views/Index.php in the Install module in vTiger 6.0 before Security Patch 2 does not properly restrict access, which allows remote attackers to re-install the application via a request that sets the X-Requested-With HTTP header, as demonstrated by executing arbitrary PHP code via the db_name parameter. | 5.0 |
2014-08-12 | CVE-2014-1222 | Path Traversal vulnerability in Vtiger CRM Directory traversal vulnerability in kcfinder/browse.php in Vtiger CRM before 6.0.0 Security patch 1 allows remote authenticated users to read arbitrary files via a .. | 4.0 |
2014-04-02 | CVE-2013-3213 | SQL Injection vulnerability in Vtiger CRM Multiple SQL injection vulnerabilities in vTiger CRM 5.0.0 through 5.4.0 allow remote attackers to execute arbitrary SQL commands via the (1) picklist_name parameter in the get_picklists method to soap/customerportal.php, (2) where parameter in the get_tickets_list method to soap/customerportal.php, or (3) emailaddress parameter in the SearchContactsByEmail method to soap/vtigerolservice.php; or remote authenticated users to execute arbitrary SQL commands via the (4) emailaddress parameter in the SearchContactsByEmail method to soap/thunderbirdplugin.php. | 7.5 |
2013-10-04 | CVE-2013-5091 | SQL Injection vulnerability in Vtiger CRM SQL injection vulnerability in CalendarCommon.php in vTiger CRM 5.4.0 and possibly earlier allows remote authenticated users to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php. | 6.5 |