Vulnerabilities > Vtiger > Vtiger CRM > Medium

DATE CVE VULNERABILITY TITLE RISK
2019-05-24 CVE-2016-10754 SQL Injection vulnerability in Vtiger CRM 6.5.0
modules/Calendar/Activity.php in Vtiger CRM 6.5.0 allows SQL injection via the contactidlist parameter.
network
low complexity
vtiger CWE-89
6.5
2019-01-04 CVE-2019-5009 Unrestricted Upload of File with Dangerous Type vulnerability in Vtiger CRM
Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension "php3" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40.
network
low complexity
vtiger CWE-434
6.5
2016-08-01 CVE-2016-4834 Permissions, Privileges, and Access Controls vulnerability in Vtiger CRM
modules/Users/actions/Save.php in Vtiger CRM 6.4.0 and earlier does not properly restrict user-save actions, which allows remote authenticated users to create or modify user accounts via unspecified vectors.
network
low complexity
vtiger CWE-264
5.5
2014-11-16 CVE-2014-2268 Permissions, Privileges, and Access Controls vulnerability in Vtiger CRM
views/Index.php in the Install module in vTiger 6.0 before Security Patch 2 does not properly restrict access, which allows remote attackers to re-install the application via a request that sets the X-Requested-With HTTP header, as demonstrated by executing arbitrary PHP code via the db_name parameter.
network
low complexity
vtiger CWE-264
5.0
2014-08-12 CVE-2014-1222 Path Traversal vulnerability in Vtiger CRM
Directory traversal vulnerability in kcfinder/browse.php in Vtiger CRM before 6.0.0 Security patch 1 allows remote authenticated users to read arbitrary files via a ..
network
low complexity
vtiger CWE-22
4.0
2014-04-22 CVE-2014-2269 Improper Input Validation vulnerability in Vtiger CRM 6.0.0
modules/Users/ForgotPassword.php in vTiger 6.0 before Security Patch 2 allows remote attackers to reset the password for arbitrary users via a request containing the username, password, and confirmPassword parameters.
network
low complexity
vtiger CWE-20
6.4
2013-10-04 CVE-2013-5091 SQL Injection vulnerability in Vtiger CRM
SQL injection vulnerability in CalendarCommon.php in vTiger CRM 5.4.0 and possibly earlier allows remote authenticated users to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php.
network
low complexity
vtiger CWE-89
6.5
2012-09-06 CVE-2012-4867 Path Traversal vulnerability in Vtiger CRM 5.1.0
Directory traversal vulnerability in modules/com_vtiger_workflow/sortfieldsjson.php in vtiger CRM 5.1.0 allows remote attackers to read arbitrary files via a ..
network
low complexity
vtiger CWE-22
5.0
2011-12-07 CVE-2011-4680 Cross-Site Scripting vulnerability in Vtiger CRM
Multiple cross-site scripting (XSS) vulnerabilities in the customer portal in vtiger CRM before 5.2.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
network
vtiger CWE-79
4.3
2011-12-07 CVE-2011-4679 Permissions, Privileges, and Access Controls vulnerability in Vtiger CRM
vtiger CRM before 5.3.0 does not properly recognize the disabled status of a field in the Leads module, which allows remote authenticated users to bypass intended access restrictions by reading a previously created report.
network
low complexity
vtiger CWE-264
4.0