Search
Search Results (74 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-5009 | 1 Vtiger | 1 Vtiger Crm | 2024-11-21 | 7.2 High |
| Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension "php3" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using "<? ?>" tags, as demonstrated by a CompanyDetailsSave action. This bypasses the bad-file-extensions protection mechanism. It is related to actions/CompanyDetailsSave.php, actions/UpdateCompanyLogo.php, and models/CompanyDetails.php. | ||||
| CVE-2019-19202 | 1 Vtiger | 1 Vtiger Crm | 2024-11-21 | 8.8 High |
| In Vtiger 7.x before 7.2.0, the My Preferences saving functionality allows a user without administrative privileges to change his own role by adding roleid=H2 to a POST request. | ||||
| CVE-2019-11057 | 1 Vtiger | 1 Vtiger Crm | 2024-11-21 | 8.8 High |
| SQL injection vulnerability in Vtiger CRM before 7.1.0 hotfix3 allows authenticated users to execute arbitrary SQL commands. | ||||
| CVE-2018-8047 | 1 Vtiger | 1 Vtiger Crm | 2024-11-21 | N/A |
| vtiger CRM 7.0.1 is affected by one reflected Cross-Site Scripting (XSS) vulnerability affecting version 7.0.1 and probably prior versions. This vulnerability could allow remote unauthenticated attackers to inject arbitrary web script or HTML via index.php?module=Contacts&view=List (app parameter). | ||||
| CVE-2016-10754 | 1 Vtiger | 1 Vtiger Crm | 2024-11-21 | N/A |
| modules/Calendar/Activity.php in Vtiger CRM 6.5.0 allows SQL injection via the contactidlist parameter. | ||||
| CVE-2015-6000 | 1 Vtiger | 1 Vtiger Crm | 2024-11-21 | 8.8 High |
| Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.3.0 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in test/logo/. | ||||
| CVE-2013-3591 | 1 Vtiger | 1 Vtiger Crm | 2024-11-21 | 8.8 High |
| vTiger CRM 5.3 and 5.4: 'files' Upload Folder Arbitrary PHP Code Execution Vulnerability | ||||
| CVE-2013-3215 | 1 Vtiger | 1 Vtiger Crm | 2024-11-21 | 9.8 Critical |
| vtiger CRM 5.4.0 and earlier contain an Authentication Bypass Vulnerability due to improper authentication validation in the validateSession function. | ||||
| CVE-2013-3214 | 1 Vtiger | 1 Vtiger Crm | 2024-11-21 | 9.8 Critical |
| vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in 'vtigerolservice.php'. | ||||
| CVE-2013-3212 | 1 Vtiger | 1 Vtiger Crm | 2024-11-21 | 8.1 High |
| vtiger CRM 5.4.0 and earlier contain local file-include vulnerabilities in 'customerportal.php' which allows remote attackers to view files and execute local script code. | ||||
| CVE-2024-48119 | 1 Vtiger | 1 Vtiger Crm | 2024-10-30 | 5.4 Medium |
| Vtiger CRM v8.2.0 has a HTML Injection vulnerability in the module parameter. Authenticated users can inject arbitrary HTML. | ||||
| CVE-2024-44778 | 1 Vtiger | 1 Vtiger Crm | 2024-09-03 | 7.4 High |
| A reflected cross-site scripting (XSS) vulnerability in the parent parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload. | ||||
| CVE-2024-44779 | 1 Vtiger | 1 Vtiger Crm | 2024-09-03 | 7.4 High |
| A reflected cross-site scripting (XSS) vulnerability in the viewname parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload. | ||||
| CVE-2024-44777 | 1 Vtiger | 1 Vtiger Crm | 2024-09-03 | 7.4 High |
| A reflected cross-site scripting (XSS) vulnerability in the tag parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload. | ||||