Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Vtiger_crm
(Vtiger)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 64 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2020-02-06 | CVE-2015-6000 | Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.3.0 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in test/logo/. | Vtiger_crm | N/A | ||
| 2020-01-28 | CVE-2013-3212 | vtiger CRM 5.4.0 and earlier contain local file-include vulnerabilities in 'customerportal.php' which allows remote attackers to view files and execute local script code. | Vtiger_crm | N/A | ||
| 2020-01-29 | CVE-2013-3215 | vtiger CRM 5.4.0 and earlier contain an Authentication Bypass Vulnerability due to improper authentication validation in the validateSession function. | Vtiger_crm | N/A | ||
| 2020-01-28 | CVE-2013-3214 | vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in 'vtigerolservice.php'. | Vtiger_crm | N/A | ||
| 2019-11-21 | CVE-2019-19202 | In Vtiger 7.x before 7.2.0, the My Preferences saving functionality allows a user without administrative privileges to change his own role by adding roleid=H2 to a POST request. | Vtiger_crm | N/A | ||
| 2019-01-04 | CVE-2019-5009 | Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension "php3" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using "<? ?>" tags, as demonstrated by a CompanyDetailsSave action. This bypasses the bad-file-extensions protection mechanism. It is related to actions/CompanyDetailsSave.php, actions/UpdateCompanyLogo.php, and models/CompanyDetails.php. | Vtiger_crm | N/A | ||
| 2019-06-06 | CVE-2018-8047 | vtiger CRM 7.0.1 is affected by one reflected Cross-Site Scripting (XSS) vulnerability affecting version 7.0.1 and probably prior versions. This vulnerability could allow remote unauthenticated attackers to inject arbitrary web script or HTML via index.php?module=Contacts&view=List (app parameter). | Vtiger_crm | 6.1 | ||
| 2019-05-24 | CVE-2016-10754 | modules/Calendar/Activity.php in Vtiger CRM 6.5.0 allows SQL injection via the contactidlist parameter. | Vtiger_crm | 8.8 | ||
| 2017-04-14 | CVE-2016-1713 | Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.4.0 allows remote authenticated users to execute arbitrary code by uploading a crafted image file with an executable extension, then accessing it via a direct request to the file in test/logo/. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6000. | Vtiger_crm | 7.3 | ||
| 2014-04-22 | CVE-2014-2269 | modules/Users/ForgotPassword.php in vTiger 6.0 before Security Patch 2 allows remote attackers to reset the password for arbitrary users via a request containing the username, password, and confirmPassword parameters. | Vtiger_crm | N/A |