Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
224 vulnerabilities by vtiger
CVE-2026-23698 (GCVE-0-2026-23698)
Vulnerability from nvd – Published: 2026-07-07 16:10 – Updated: 2026-07-07 17:11 X_Open Source- CWE-434 - Unrestricted Upload of File with Dangerous Type
| URL | Tags |
|---|---|
| https://jivasecurity.com/writeups/vtiger-rce-modu… | technical-descriptionexploit |
| https://www.vtiger.com/ | product |
| https://www.vulncheck.com/advisories/vtiger-crm-a… | third-party-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Vtiger | Vtiger CRM |
Affected:
0 , ≤ 8.4.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23698",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-07T17:11:14.403153Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T17:11:21.191Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Vtiger CRM",
"repo": "https://sourceforge.net/projects/vtigercrm/",
"vendor": "Vtiger",
"versions": [
{
"lessThanOrEqual": "8.4.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jiva (JivaSecurity)"
}
],
"datePublic": "2026-07-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Vtiger CRM through 8.4.0 contains an authenticated remote code execution vulnerability in the admin module import feature that allows administrator-level attackers to upload arbitrary PHP files by submitting a crafted zip archive through the ModuleManager import function, which extracts contents directly into the modules/ directory under the web root without validating file types beyond the manifest.xml descriptor. Attackers can place executable PHP files in the modules/ directory that become directly accessible via HTTP, bypassing Vtiger\u0027s authentication and authorization layer entirely since Apache resolves the path and invokes the PHP interpreter before the application routing layer is involved, resulting in a persistent web shell independent of the originating session."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T16:10:24.356Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "Researcher Disclosure",
"tags": [
"technical-description",
"exploit"
],
"url": "https://jivasecurity.com/writeups/vtiger-rce-module-import-cve-2026-23698"
},
{
"name": "Project Homepage",
"tags": [
"product"
],
"url": "https://www.vtiger.com/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vtiger-crm-authenticated-rce-via-module-import-file-upload"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"x_open-source"
],
"title": "Vtiger CRM 8.4.0 Authenticated RCE via Module Import File Upload",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-23698",
"datePublished": "2026-07-07T16:10:24.356Z",
"dateReserved": "2026-01-14T22:02:15.209Z",
"dateUpdated": "2026-07-07T17:11:21.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23697 (GCVE-0-2026-23697)
Vulnerability from nvd – Published: 2026-07-07 16:17 – Updated: 2026-07-07 17:31 X_Open Source- CWE-434 - Unrestricted Upload of File with Dangerous Type
| URL | Tags |
|---|---|
| https://jivasecurity.com/writeups/vtiger-rce-phar… | technical-descriptionexploit |
| https://www.vtiger.com/ | product |
| https://www.vulncheck.com/advisories/vtiger-crm-a… | third-party-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Vtiger | Vtiger CRM |
Affected:
0 , ≤ 8.3.0
(semver)
Unaffected: 8.4.0 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23697",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-07T17:31:42.988594Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T17:31:49.609Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Vtiger CRM",
"repo": "https://sourceforge.net/projects/vtigercrm/",
"vendor": "Vtiger",
"versions": [
{
"lessThanOrEqual": "8.3.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "8.4.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jiva (JivaSecurity)"
}
],
"datePublic": "2026-07-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Vtiger CRM before 8.4.0 contains an authenticated file upload vulnerability that allows low-privileged users to achieve remote code execution by uploading a .phar file containing arbitrary PHP code through the Documents module, bypassing the extension denylist in config.inc.php which omits the .phar extension. The uploaded file is stored with its original .phar extension under the web-accessible storage directory, and a misconfigured .htaccess using Apache 2.2 syntax is silently ignored on Apache 2.4 deployments, allowing unauthenticated HTTP requests to directly execute the uploaded PHP payload."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T16:17:02.850Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "Researcher Disclosure",
"tags": [
"technical-description",
"exploit"
],
"url": "https://jivasecurity.com/writeups/vtiger-rce-phar-upload-cve-2026-23697"
},
{
"name": "Project Homepage",
"tags": [
"product"
],
"url": "https://www.vtiger.com/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vtiger-crm-authenticated-file-upload-rce-via-documents-module"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"x_open-source"
],
"title": "Vtiger CRM \u003c 8.4.0 Authenticated File Upload RCE via Documents Module",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-23697",
"datePublished": "2026-07-07T16:17:02.850Z",
"dateReserved": "2026-01-14T22:02:15.209Z",
"dateUpdated": "2026-07-07T17:31:49.609Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-45753 (GCVE-0-2025-45753)
Vulnerability from nvd – Published: 2025-05-21 00:00 – Updated: 2025-05-22 13:26- n/a
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-45753",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-22T13:25:07.838963Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T13:26:12.175Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in Vtiger CRM Open Source Edition v8.3.0 allows an attacker with admin privileges to execute arbitrary PHP code by exploiting the ZIP import functionality in the Module Import feature."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T20:42:06.813Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.simonjuguna.com/cve-2025-45753-authenticated-remote-code-execution-vulnerability-in-vtiger-open-source-edition-v8-3-0/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-45753",
"datePublished": "2025-05-21T00:00:00.000Z",
"dateReserved": "2025-04-22T00:00:00.000Z",
"dateUpdated": "2025-05-22T13:26:12.175Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-45755 (GCVE-0-2025-45755)
Vulnerability from nvd – Published: 2025-05-21 00:00 – Updated: 2025-05-21 20:00- n/a
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-45755",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-21T19:58:58.784219Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T20:00:34.450Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.simonjuguna.com/cve-2025-45755-stored-cross-site-scripting-xss-vulnerability-in-vtiger-open-source-edition-v8-3-0/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Stored Cross-Site Scripting (XSS) vulnerability exists in Vtiger CRM Open Source Edition v8.3.0, exploitable via the Services Import feature. An attacker can craft a malicious CSV file containing an XSS payload, mapped to the Service Name field. When the file is uploaded, the application improperly sanitizes user input, leading to persistent script execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T19:37:54.373Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.vtiger.com/open-source-crm/"
},
{
"url": "https://www.simonjuguna.com/cve-2025-45755-stored-cross-site-scripting-xss-vulnerability-in-vtiger-open-source-edition-v8-3-0/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-45755",
"datePublished": "2025-05-21T00:00:00.000Z",
"dateReserved": "2025-04-22T00:00:00.000Z",
"dateUpdated": "2025-05-21T20:00:34.450Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-1618 (GCVE-0-2025-1618)
Vulnerability from nvd – Published: 2025-02-24 04:31 – Updated: 2025-03-03 06:38| URL | Tags |
|---|---|
| https://vuldb.com/?id.296608 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.296608 | signaturepermissions-required |
| https://vuldb.com/?submit.501840 | third-party-advisory |
| https://www.vtiger.com/ | product |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1618",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-24T12:58:41.333628Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-24T12:58:45.872Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CRM",
"vendor": "vTiger",
"versions": [
{
"status": "affected",
"version": "6.4.0"
},
{
"status": "affected",
"version": "6.5.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Stux (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in vTiger CRM 6.4.0/6.5.0 and classified as problematic. This vulnerability affects unknown code of the file /modules/Mobile/index.php. The manipulation of the argument _operation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 7.0 is able to address this issue. It is recommended to upgrade the affected component."
},
{
"lang": "de",
"value": "In vTiger CRM 6.4.0/6.5.0 wurde eine problematische Schwachstelle gefunden. Dabei geht es um eine nicht genauer bekannte Funktion der Datei /modules/Mobile/index.php. Durch Manipulation des Arguments _operation mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Ein Aktualisieren auf die Version 7.0 vermag dieses Problem zu l\u00f6sen. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-03T06:38:54.934Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-296608 | vTiger CRM index.php cross site scripting",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.296608"
},
{
"name": "VDB-296608 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.296608"
},
{
"name": "Submit #501840 | vtiger Vtiger CRM 6.4.0 Reflected Cross-Site Scripting",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.501840"
},
{
"tags": [
"product"
],
"url": "https://www.vtiger.com/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-02-23T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-02-23T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-03-03T07:43:51.000Z",
"value": "VulDB entry last update"
}
],
"title": "vTiger CRM index.php cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-1618",
"datePublished": "2025-02-24T04:31:04.303Z",
"dateReserved": "2025-02-23T09:48:26.096Z",
"dateUpdated": "2025-03-03T06:38:54.934Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-54687 (GCVE-0-2024-54687)
Vulnerability from nvd – Published: 2025-01-10 00:00 – Updated: 2025-01-13 20:05- n/a
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-54687",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-13T20:03:34.302362Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-13T20:05:45.029Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vtiger CRM v.6.1 and before is vulnerable to Cross Site Scripting (XSS) via the Documents module and function uploadAndSaveFile in CRMEntity.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T18:12:14.324Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://andrea0.medium.com"
},
{
"url": "https://andrea0.medium.com/analysis-of-cve-2024-54687-9d82f4c0eaa8"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-54687",
"datePublished": "2025-01-10T00:00:00.000Z",
"dateReserved": "2024-12-06T00:00:00.000Z",
"dateUpdated": "2025-01-13T20:05:45.029Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-48119 (GCVE-0-2024-48119)
Vulnerability from nvd – Published: 2024-10-14 00:00 – Updated: 2024-10-17 17:32- n/a
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm |
Affected:
8.2.0
cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "vtiger_crm",
"vendor": "vtiger",
"versions": [
{
"status": "affected",
"version": "8.2.0"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-48119",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-17T17:31:38.560198Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T17:32:57.909Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vtiger CRM v8.2.0 has a HTML Injection vulnerability in the module parameter. Authenticated users can inject arbitrary HTML."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-14T13:42:20.618Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://okankurtulus.com.tr/2024/09/12/vtiger-crm-v8-2-0-html-injection-authenticated/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-48119",
"datePublished": "2024-10-14T00:00:00.000Z",
"dateReserved": "2024-10-08T00:00:00.000Z",
"dateUpdated": "2024-10-17T17:32:57.909Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-44779 (GCVE-0-2024-44779)
Vulnerability from nvd – Published: 2024-08-29 00:00 – Updated: 2026-07-05 00:43- n/a
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm |
Affected:
7.4.0
cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "vtiger_crm",
"vendor": "vtiger",
"versions": [
{
"status": "affected",
"version": "7.4.0"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-44779",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-29T19:00:10.897177Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T19:03:08.761Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A reflected cross-site scripting (XSS) vulnerability in the viewname parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user\u0027s browser via injecting a crafted payload."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-05T00:43:57.189Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://packetstormsecurity.com/files/180462/vTiger-CRM-7.4.0-Cross-Site-Scripting.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-44779",
"datePublished": "2024-08-29T00:00:00.000Z",
"dateReserved": "2024-08-21T00:00:00.000Z",
"dateUpdated": "2026-07-05T00:43:57.189Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-44778 (GCVE-0-2024-44778)
Vulnerability from nvd – Published: 2024-08-29 00:00 – Updated: 2026-07-05 00:43- n/a
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm |
Affected:
7.4.0
cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "vtiger_crm",
"vendor": "vtiger",
"versions": [
{
"status": "affected",
"version": "7.4.0"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-44778",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-29T19:04:46.600613Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T19:05:39.451Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A reflected cross-site scripting (XSS) vulnerability in the parent parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user\u0027s browser via injecting a crafted payload."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-05T00:43:53.072Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://packetstormsecurity.com/files/180462/vTiger-CRM-7.4.0-Cross-Site-Scripting.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-44778",
"datePublished": "2024-08-29T00:00:00.000Z",
"dateReserved": "2024-08-21T00:00:00.000Z",
"dateUpdated": "2026-07-05T00:43:53.072Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-44777 (GCVE-0-2024-44777)
Vulnerability from nvd – Published: 2024-08-29 00:00 – Updated: 2026-07-05 00:43- n/a
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm |
Affected:
7.4.0
cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "vtiger_crm",
"vendor": "vtiger",
"versions": [
{
"status": "affected",
"version": "7.4.0"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-44777",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-29T19:06:47.240923Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T19:07:31.796Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A reflected cross-site scripting (XSS) vulnerability in the tag parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user\u0027s browser via injecting a crafted payload."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-05T00:43:48.666Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://packetstormsecurity.com/files/180462/vTiger-CRM-7.4.0-Cross-Site-Scripting.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-44777",
"datePublished": "2024-08-29T00:00:00.000Z",
"dateReserved": "2024-08-21T00:00:00.000Z",
"dateUpdated": "2026-07-05T00:43:48.666Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-44776 (GCVE-0-2024-44776)
Vulnerability from nvd – Published: 2024-08-29 00:00 – Updated: 2026-07-05 00:43- n/a
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-44776",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-29T19:09:10.787930Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T16:10:43.727Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An Open Redirect vulnerability in the page parameter of vTiger CRM v7.4.0 allows attackers to redirect users to a malicious site via a crafted URL."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-05T00:43:44.787Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://packetstormsecurity.com/files/180461/vTiger-CRM-7.4.0-Open-Redirection.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-44776",
"datePublished": "2024-08-29T00:00:00.000Z",
"dateReserved": "2024-08-21T00:00:00.000Z",
"dateUpdated": "2026-07-05T00:43:44.787Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-42995 (GCVE-0-2024-42995)
Vulnerability from nvd – Published: 2024-08-16 00:00 – Updated: 2024-08-16 17:53- n/a
- CWE-269 - Improper Privilege Management
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm |
Affected:
0 , ≤ 8.1.0
(custom)
cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "vtiger_crm",
"vendor": "vtiger",
"versions": [
{
"lessThanOrEqual": "8.1.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-42995",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-16T17:51:00.562336Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-16T17:53:33.090Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "VTiger CRM \u003c= 8.1.0 does not correctly check user privileges. A low-privileged user can interact directly with the \"Migration\" administrative module to disable arbitrary modules."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-16T16:54:16.270Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.shielder.com/advisories/vtiger-migration-bac/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-42995",
"datePublished": "2024-08-16T00:00:00.000Z",
"dateReserved": "2024-08-05T00:00:00.000Z",
"dateUpdated": "2024-08-16T17:53:33.090Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42994 (GCVE-0-2024-42994)
Vulnerability from nvd – Published: 2024-08-16 00:00 – Updated: 2024-08-16 17:58- n/a
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm |
Affected:
0 , ≤ 8.1.0
(custom)
cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "vtiger_crm",
"vendor": "vtiger",
"versions": [
{
"lessThanOrEqual": "8.1.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-42994",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-16T17:56:20.836684Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-16T17:58:59.527Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "VTiger CRM \u003c= 8.1.0 does not properly sanitize user input before using it in a SQL statement, leading to a SQL Injection in the \"CompanyDetails\" operation of the \"MailManager\" module."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-16T16:53:05.574Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.shielder.com/advisories/vtiger-mailmanager-sqli/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-42994",
"datePublished": "2024-08-16T00:00:00.000Z",
"dateReserved": "2024-08-05T00:00:00.000Z",
"dateUpdated": "2024-08-16T17:58:59.527Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46304 (GCVE-0-2023-46304)
Vulnerability from nvd – Published: 2024-04-30 00:00 – Updated: 2024-08-02 20:45- n/a
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm |
Affected:
*7.5.0
cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "vtiger_crm",
"vendor": "vtiger",
"versions": [
{
"status": "affected",
"version": "*7.5.0"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-46304",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-30T14:46:31.688571Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:22:16.036Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:45:40.776Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.vtiger.com/"
},
{
"tags": [
"x_transferred"
],
"url": "https://code.vtiger.com/vtiger/vtigercrm/-/blob/master/modules/Users/models/Module.php"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/jselliott/CVE-2023-46304"
},
{
"tags": [
"x_transferred"
],
"url": "https://code.vtiger.com/vtiger/vtigercrm/-/commit/317f9ca88b6bbded11058f20a1d232717c360d43"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "modules/Users/models/Module.php in Vtiger CRM 7.5.0 allows a remote authenticated attacker to run arbitrary PHP code because an unprotected endpoint allows them to write this code to the config.inc.php file (executed on every page load)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-30T13:04:03.597Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.vtiger.com/"
},
{
"url": "https://code.vtiger.com/vtiger/vtigercrm/-/blob/master/modules/Users/models/Module.php"
},
{
"url": "https://github.com/jselliott/CVE-2023-46304"
},
{
"url": "https://code.vtiger.com/vtiger/vtigercrm/-/commit/317f9ca88b6bbded11058f20a1d232717c360d43"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-46304",
"datePublished": "2024-04-30T00:00:00.000Z",
"dateReserved": "2023-10-22T00:00:00.000Z",
"dateUpdated": "2024-08-02T20:45:40.776Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-23697 (GCVE-0-2026-23697)
Vulnerability from cvelistv5 – Published: 2026-07-07 16:17 – Updated: 2026-07-07 17:31 X_Open Source- CWE-434 - Unrestricted Upload of File with Dangerous Type
| URL | Tags |
|---|---|
| https://jivasecurity.com/writeups/vtiger-rce-phar… | technical-descriptionexploit |
| https://www.vtiger.com/ | product |
| https://www.vulncheck.com/advisories/vtiger-crm-a… | third-party-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Vtiger | Vtiger CRM |
Affected:
0 , ≤ 8.3.0
(semver)
Unaffected: 8.4.0 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23697",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-07T17:31:42.988594Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T17:31:49.609Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Vtiger CRM",
"repo": "https://sourceforge.net/projects/vtigercrm/",
"vendor": "Vtiger",
"versions": [
{
"lessThanOrEqual": "8.3.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "8.4.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jiva (JivaSecurity)"
}
],
"datePublic": "2026-07-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Vtiger CRM before 8.4.0 contains an authenticated file upload vulnerability that allows low-privileged users to achieve remote code execution by uploading a .phar file containing arbitrary PHP code through the Documents module, bypassing the extension denylist in config.inc.php which omits the .phar extension. The uploaded file is stored with its original .phar extension under the web-accessible storage directory, and a misconfigured .htaccess using Apache 2.2 syntax is silently ignored on Apache 2.4 deployments, allowing unauthenticated HTTP requests to directly execute the uploaded PHP payload."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T16:17:02.850Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "Researcher Disclosure",
"tags": [
"technical-description",
"exploit"
],
"url": "https://jivasecurity.com/writeups/vtiger-rce-phar-upload-cve-2026-23697"
},
{
"name": "Project Homepage",
"tags": [
"product"
],
"url": "https://www.vtiger.com/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vtiger-crm-authenticated-file-upload-rce-via-documents-module"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"x_open-source"
],
"title": "Vtiger CRM \u003c 8.4.0 Authenticated File Upload RCE via Documents Module",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-23697",
"datePublished": "2026-07-07T16:17:02.850Z",
"dateReserved": "2026-01-14T22:02:15.209Z",
"dateUpdated": "2026-07-07T17:31:49.609Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23698 (GCVE-0-2026-23698)
Vulnerability from cvelistv5 – Published: 2026-07-07 16:10 – Updated: 2026-07-07 17:11 X_Open Source- CWE-434 - Unrestricted Upload of File with Dangerous Type
| URL | Tags |
|---|---|
| https://jivasecurity.com/writeups/vtiger-rce-modu… | technical-descriptionexploit |
| https://www.vtiger.com/ | product |
| https://www.vulncheck.com/advisories/vtiger-crm-a… | third-party-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Vtiger | Vtiger CRM |
Affected:
0 , ≤ 8.4.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23698",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-07T17:11:14.403153Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T17:11:21.191Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Vtiger CRM",
"repo": "https://sourceforge.net/projects/vtigercrm/",
"vendor": "Vtiger",
"versions": [
{
"lessThanOrEqual": "8.4.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jiva (JivaSecurity)"
}
],
"datePublic": "2026-07-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Vtiger CRM through 8.4.0 contains an authenticated remote code execution vulnerability in the admin module import feature that allows administrator-level attackers to upload arbitrary PHP files by submitting a crafted zip archive through the ModuleManager import function, which extracts contents directly into the modules/ directory under the web root without validating file types beyond the manifest.xml descriptor. Attackers can place executable PHP files in the modules/ directory that become directly accessible via HTTP, bypassing Vtiger\u0027s authentication and authorization layer entirely since Apache resolves the path and invokes the PHP interpreter before the application routing layer is involved, resulting in a persistent web shell independent of the originating session."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T16:10:24.356Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "Researcher Disclosure",
"tags": [
"technical-description",
"exploit"
],
"url": "https://jivasecurity.com/writeups/vtiger-rce-module-import-cve-2026-23698"
},
{
"name": "Project Homepage",
"tags": [
"product"
],
"url": "https://www.vtiger.com/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vtiger-crm-authenticated-rce-via-module-import-file-upload"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"x_open-source"
],
"title": "Vtiger CRM 8.4.0 Authenticated RCE via Module Import File Upload",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-23698",
"datePublished": "2026-07-07T16:10:24.356Z",
"dateReserved": "2026-01-14T22:02:15.209Z",
"dateUpdated": "2026-07-07T17:11:21.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-45753 (GCVE-0-2025-45753)
Vulnerability from cvelistv5 – Published: 2025-05-21 00:00 – Updated: 2025-05-22 13:26- n/a
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-45753",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-22T13:25:07.838963Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T13:26:12.175Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in Vtiger CRM Open Source Edition v8.3.0 allows an attacker with admin privileges to execute arbitrary PHP code by exploiting the ZIP import functionality in the Module Import feature."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T20:42:06.813Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.simonjuguna.com/cve-2025-45753-authenticated-remote-code-execution-vulnerability-in-vtiger-open-source-edition-v8-3-0/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-45753",
"datePublished": "2025-05-21T00:00:00.000Z",
"dateReserved": "2025-04-22T00:00:00.000Z",
"dateUpdated": "2025-05-22T13:26:12.175Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-45755 (GCVE-0-2025-45755)
Vulnerability from cvelistv5 – Published: 2025-05-21 00:00 – Updated: 2025-05-21 20:00- n/a
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-45755",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-21T19:58:58.784219Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T20:00:34.450Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.simonjuguna.com/cve-2025-45755-stored-cross-site-scripting-xss-vulnerability-in-vtiger-open-source-edition-v8-3-0/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Stored Cross-Site Scripting (XSS) vulnerability exists in Vtiger CRM Open Source Edition v8.3.0, exploitable via the Services Import feature. An attacker can craft a malicious CSV file containing an XSS payload, mapped to the Service Name field. When the file is uploaded, the application improperly sanitizes user input, leading to persistent script execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T19:37:54.373Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.vtiger.com/open-source-crm/"
},
{
"url": "https://www.simonjuguna.com/cve-2025-45755-stored-cross-site-scripting-xss-vulnerability-in-vtiger-open-source-edition-v8-3-0/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-45755",
"datePublished": "2025-05-21T00:00:00.000Z",
"dateReserved": "2025-04-22T00:00:00.000Z",
"dateUpdated": "2025-05-21T20:00:34.450Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-1618 (GCVE-0-2025-1618)
Vulnerability from cvelistv5 – Published: 2025-02-24 04:31 – Updated: 2025-03-03 06:38| URL | Tags |
|---|---|
| https://vuldb.com/?id.296608 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.296608 | signaturepermissions-required |
| https://vuldb.com/?submit.501840 | third-party-advisory |
| https://www.vtiger.com/ | product |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1618",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-24T12:58:41.333628Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-24T12:58:45.872Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CRM",
"vendor": "vTiger",
"versions": [
{
"status": "affected",
"version": "6.4.0"
},
{
"status": "affected",
"version": "6.5.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Stux (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in vTiger CRM 6.4.0/6.5.0 and classified as problematic. This vulnerability affects unknown code of the file /modules/Mobile/index.php. The manipulation of the argument _operation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 7.0 is able to address this issue. It is recommended to upgrade the affected component."
},
{
"lang": "de",
"value": "In vTiger CRM 6.4.0/6.5.0 wurde eine problematische Schwachstelle gefunden. Dabei geht es um eine nicht genauer bekannte Funktion der Datei /modules/Mobile/index.php. Durch Manipulation des Arguments _operation mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Ein Aktualisieren auf die Version 7.0 vermag dieses Problem zu l\u00f6sen. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-03T06:38:54.934Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-296608 | vTiger CRM index.php cross site scripting",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.296608"
},
{
"name": "VDB-296608 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.296608"
},
{
"name": "Submit #501840 | vtiger Vtiger CRM 6.4.0 Reflected Cross-Site Scripting",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.501840"
},
{
"tags": [
"product"
],
"url": "https://www.vtiger.com/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-02-23T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-02-23T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-03-03T07:43:51.000Z",
"value": "VulDB entry last update"
}
],
"title": "vTiger CRM index.php cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-1618",
"datePublished": "2025-02-24T04:31:04.303Z",
"dateReserved": "2025-02-23T09:48:26.096Z",
"dateUpdated": "2025-03-03T06:38:54.934Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-54687 (GCVE-0-2024-54687)
Vulnerability from cvelistv5 – Published: 2025-01-10 00:00 – Updated: 2025-01-13 20:05- n/a
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-54687",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-13T20:03:34.302362Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-13T20:05:45.029Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vtiger CRM v.6.1 and before is vulnerable to Cross Site Scripting (XSS) via the Documents module and function uploadAndSaveFile in CRMEntity.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T18:12:14.324Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://andrea0.medium.com"
},
{
"url": "https://andrea0.medium.com/analysis-of-cve-2024-54687-9d82f4c0eaa8"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-54687",
"datePublished": "2025-01-10T00:00:00.000Z",
"dateReserved": "2024-12-06T00:00:00.000Z",
"dateUpdated": "2025-01-13T20:05:45.029Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-48119 (GCVE-0-2024-48119)
Vulnerability from cvelistv5 – Published: 2024-10-14 00:00 – Updated: 2024-10-17 17:32- n/a
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm |
Affected:
8.2.0
cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "vtiger_crm",
"vendor": "vtiger",
"versions": [
{
"status": "affected",
"version": "8.2.0"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-48119",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-17T17:31:38.560198Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T17:32:57.909Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vtiger CRM v8.2.0 has a HTML Injection vulnerability in the module parameter. Authenticated users can inject arbitrary HTML."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-14T13:42:20.618Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://okankurtulus.com.tr/2024/09/12/vtiger-crm-v8-2-0-html-injection-authenticated/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-48119",
"datePublished": "2024-10-14T00:00:00.000Z",
"dateReserved": "2024-10-08T00:00:00.000Z",
"dateUpdated": "2024-10-17T17:32:57.909Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-44777 (GCVE-0-2024-44777)
Vulnerability from cvelistv5 – Published: 2024-08-29 00:00 – Updated: 2026-07-05 00:43- n/a
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm |
Affected:
7.4.0
cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "vtiger_crm",
"vendor": "vtiger",
"versions": [
{
"status": "affected",
"version": "7.4.0"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-44777",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-29T19:06:47.240923Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T19:07:31.796Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A reflected cross-site scripting (XSS) vulnerability in the tag parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user\u0027s browser via injecting a crafted payload."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-05T00:43:48.666Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://packetstormsecurity.com/files/180462/vTiger-CRM-7.4.0-Cross-Site-Scripting.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-44777",
"datePublished": "2024-08-29T00:00:00.000Z",
"dateReserved": "2024-08-21T00:00:00.000Z",
"dateUpdated": "2026-07-05T00:43:48.666Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-44776 (GCVE-0-2024-44776)
Vulnerability from cvelistv5 – Published: 2024-08-29 00:00 – Updated: 2026-07-05 00:43- n/a
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-44776",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-29T19:09:10.787930Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T16:10:43.727Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An Open Redirect vulnerability in the page parameter of vTiger CRM v7.4.0 allows attackers to redirect users to a malicious site via a crafted URL."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-05T00:43:44.787Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://packetstormsecurity.com/files/180461/vTiger-CRM-7.4.0-Open-Redirection.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-44776",
"datePublished": "2024-08-29T00:00:00.000Z",
"dateReserved": "2024-08-21T00:00:00.000Z",
"dateUpdated": "2026-07-05T00:43:44.787Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-44779 (GCVE-0-2024-44779)
Vulnerability from cvelistv5 – Published: 2024-08-29 00:00 – Updated: 2026-07-05 00:43- n/a
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm |
Affected:
7.4.0
cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "vtiger_crm",
"vendor": "vtiger",
"versions": [
{
"status": "affected",
"version": "7.4.0"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-44779",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-29T19:00:10.897177Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T19:03:08.761Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A reflected cross-site scripting (XSS) vulnerability in the viewname parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user\u0027s browser via injecting a crafted payload."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-05T00:43:57.189Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://packetstormsecurity.com/files/180462/vTiger-CRM-7.4.0-Cross-Site-Scripting.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-44779",
"datePublished": "2024-08-29T00:00:00.000Z",
"dateReserved": "2024-08-21T00:00:00.000Z",
"dateUpdated": "2026-07-05T00:43:57.189Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-44778 (GCVE-0-2024-44778)
Vulnerability from cvelistv5 – Published: 2024-08-29 00:00 – Updated: 2026-07-05 00:43- n/a
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm |
Affected:
7.4.0
cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "vtiger_crm",
"vendor": "vtiger",
"versions": [
{
"status": "affected",
"version": "7.4.0"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-44778",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-29T19:04:46.600613Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T19:05:39.451Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A reflected cross-site scripting (XSS) vulnerability in the parent parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user\u0027s browser via injecting a crafted payload."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-05T00:43:53.072Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://packetstormsecurity.com/files/180462/vTiger-CRM-7.4.0-Cross-Site-Scripting.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-44778",
"datePublished": "2024-08-29T00:00:00.000Z",
"dateReserved": "2024-08-21T00:00:00.000Z",
"dateUpdated": "2026-07-05T00:43:53.072Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-42994 (GCVE-0-2024-42994)
Vulnerability from cvelistv5 – Published: 2024-08-16 00:00 – Updated: 2024-08-16 17:58- n/a
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm |
Affected:
0 , ≤ 8.1.0
(custom)
cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "vtiger_crm",
"vendor": "vtiger",
"versions": [
{
"lessThanOrEqual": "8.1.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-42994",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-16T17:56:20.836684Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-16T17:58:59.527Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "VTiger CRM \u003c= 8.1.0 does not properly sanitize user input before using it in a SQL statement, leading to a SQL Injection in the \"CompanyDetails\" operation of the \"MailManager\" module."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-16T16:53:05.574Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.shielder.com/advisories/vtiger-mailmanager-sqli/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-42994",
"datePublished": "2024-08-16T00:00:00.000Z",
"dateReserved": "2024-08-05T00:00:00.000Z",
"dateUpdated": "2024-08-16T17:58:59.527Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42995 (GCVE-0-2024-42995)
Vulnerability from cvelistv5 – Published: 2024-08-16 00:00 – Updated: 2024-08-16 17:53- n/a
- CWE-269 - Improper Privilege Management
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm |
Affected:
0 , ≤ 8.1.0
(custom)
cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "vtiger_crm",
"vendor": "vtiger",
"versions": [
{
"lessThanOrEqual": "8.1.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-42995",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-16T17:51:00.562336Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-16T17:53:33.090Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "VTiger CRM \u003c= 8.1.0 does not correctly check user privileges. A low-privileged user can interact directly with the \"Migration\" administrative module to disable arbitrary modules."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-16T16:54:16.270Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.shielder.com/advisories/vtiger-migration-bac/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-42995",
"datePublished": "2024-08-16T00:00:00.000Z",
"dateReserved": "2024-08-05T00:00:00.000Z",
"dateUpdated": "2024-08-16T17:53:33.090Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46304 (GCVE-0-2023-46304)
Vulnerability from cvelistv5 – Published: 2024-04-30 00:00 – Updated: 2024-08-02 20:45- n/a
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
| Vendor | Product | Version | |
|---|---|---|---|
| vtiger | vtiger_crm |
Affected:
*7.5.0
cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "vtiger_crm",
"vendor": "vtiger",
"versions": [
{
"status": "affected",
"version": "*7.5.0"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-46304",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-30T14:46:31.688571Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:22:16.036Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:45:40.776Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.vtiger.com/"
},
{
"tags": [
"x_transferred"
],
"url": "https://code.vtiger.com/vtiger/vtigercrm/-/blob/master/modules/Users/models/Module.php"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/jselliott/CVE-2023-46304"
},
{
"tags": [
"x_transferred"
],
"url": "https://code.vtiger.com/vtiger/vtigercrm/-/commit/317f9ca88b6bbded11058f20a1d232717c360d43"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "modules/Users/models/Module.php in Vtiger CRM 7.5.0 allows a remote authenticated attacker to run arbitrary PHP code because an unprotected endpoint allows them to write this code to the config.inc.php file (executed on every page load)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-30T13:04:03.597Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.vtiger.com/"
},
{
"url": "https://code.vtiger.com/vtiger/vtigercrm/-/blob/master/modules/Users/models/Module.php"
},
{
"url": "https://github.com/jselliott/CVE-2023-46304"
},
{
"url": "https://code.vtiger.com/vtiger/vtigercrm/-/commit/317f9ca88b6bbded11058f20a1d232717c360d43"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-46304",
"datePublished": "2024-04-30T00:00:00.000Z",
"dateReserved": "2023-10-22T00:00:00.000Z",
"dateUpdated": "2024-08-02T20:45:40.776Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
VAR-201402-0420
Vulnerability from variot - Updated: 2024-02-14 23:01Cross-site scripting (XSS) vulnerability in vTiger CRM 5.4.0 allows remote attackers to inject arbitrary web script or HTML via the (1) return_url parameter to modules\com_vtiger_workflow\savetemplate.php, or unspecified vectors to (2) deletetask.php, (3) edittask.php, (4) savetask.php, or (5) saveworkflow.php. (1) modules\com_vtiger_workflow\savetemplate.php of return_url Parameters (2) deletetask.php Unspecified elements (3) edittask.php Unspecified elements (4) savetask.php Unspecified elements (5) saveworkflow.php Unspecified elements. Vtiger CRM is a set of customer relationship management system (CRM) based on SugarCRM developed by Vtiger in the United States. The management system provides functions such as management, collection, and analysis of customer information. A cross-site scripting vulnerability exists in Vtiger, which stems from programs that do not properly filter input submitted by users. When a user browses an affected website, their browser will execute arbitrary script code provided by the attacker, which may cause the attacker to steal cookie-based authentication and launch other attacks. Vtiger 5.4.0 has vulnerabilities. Other versions may also be affected. [SOJOBO-ADV-13-05] - Vtiger 5.4.0 Reflected Cross Site Scripting
I. * Information *
Name : Vtiger 5.4.0 Reflected Cross Site Scripting Software : Vtiger 5.4.0 and possibly below. Vendor Homepage : https://www.vtiger.com/ Vulnerability Type : Reflected Cross-Site Scripting Severity : Medium (3/5) Advisory Reference : SOJOBO-ADV-13-05 (http://www.enkomio.com/Advisories) Credits: Sojobo dev team Description: A Reflected Cross Site Scripting vulnerability was discovered during the testing of Sojobo, Static Analysis Tool.
II. * Details *
A) Reflected Cross Site Scripting in savetemplate.php, deletetask.php, edittask.php, savetask.php and saveworkflow.php [Impact: 3/5]
Follow a trace to reach the vulnerable code.
File: \modules\com_vtiger_workflow\savetemplate.php 45: vtSaveWorkflowTemplate($adb, $_REQUEST); ... 37: $returnUrl = $request['return_url']; ... 40: window.location="";
The variable 'return_url' isn't correctly validated before to be printed in the page.
A test request is: /index.php?module=com_vtiger_workflow&action=savetemplate&return_url=">alert('xss');
III. * Report Timeline *
26 October 2013 - First contact 29 October 2013 - Fix announced on the new version 10 December 2013 - Fix release with the new version
IV. * About Sojobo *
Sojobo allows you to find security vulnerabilities in your PHP web application source code before others do. By using the state of the art techniques Sojobo is able to identify the most critical vulnerabilities in your code and limit the number of false positives
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201402-0420",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "crm",
"scope": "eq",
"trust": 2.4,
"vendor": "vtiger",
"version": "5.4.0"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-006053"
},
{
"db": "CNNVD",
"id": "CNNVD-201402-213"
},
{
"db": "NVD",
"id": "CVE-2013-7326"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:vtiger:vtiger_crm:5.4.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2013-7326"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Sojobo dev team",
"sources": [
{
"db": "BID",
"id": "64236"
},
{
"db": "PACKETSTORM",
"id": "124402"
},
{
"db": "CNNVD",
"id": "CNNVD-201312-258"
}
],
"trust": 1.0
},
"cve": "CVE-2013-7326",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": true,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 4.3,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2013-7326",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "VHN-67328",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2013-7326",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201402-213",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-67328",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-67328"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006053"
},
{
"db": "CNNVD",
"id": "CNNVD-201402-213"
},
{
"db": "NVD",
"id": "CVE-2013-7326"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Cross-site scripting (XSS) vulnerability in vTiger CRM 5.4.0 allows remote attackers to inject arbitrary web script or HTML via the (1) return_url parameter to modules\\com_vtiger_workflow\\savetemplate.php, or unspecified vectors to (2) deletetask.php, (3) edittask.php, (4) savetask.php, or (5) saveworkflow.php. (1) modules\\com_vtiger_workflow\\savetemplate.php of return_url Parameters (2) deletetask.php Unspecified elements (3) edittask.php Unspecified elements (4) savetask.php Unspecified elements (5) saveworkflow.php Unspecified elements. Vtiger CRM is a set of customer relationship management system (CRM) based on SugarCRM developed by Vtiger in the United States. The management system provides functions such as management, collection, and analysis of customer information. \nA cross-site scripting vulnerability exists in Vtiger, which stems from programs that do not properly filter input submitted by users. When a user browses an affected website, their browser will execute arbitrary script code provided by the attacker, which may cause the attacker to steal cookie-based authentication and launch other attacks. Vtiger 5.4.0 has vulnerabilities. Other versions may also be affected. [SOJOBO-ADV-13-05] - Vtiger 5.4.0 Reflected Cross Site Scripting\n\n\nI. * Information *\n==================\nName : Vtiger 5.4.0 Reflected Cross Site Scripting\nSoftware : Vtiger 5.4.0 and possibly below. \nVendor Homepage : https://www.vtiger.com/\nVulnerability Type : Reflected Cross-Site Scripting\nSeverity : Medium (3/5)\nAdvisory Reference : SOJOBO-ADV-13-05 (http://www.enkomio.com/Advisories)\nCredits: Sojobo dev team\nDescription: A Reflected Cross Site Scripting vulnerability was discovered during the testing of Sojobo, Static Analysis Tool. \n\n\nII. * Details *\n===============\nA) Reflected Cross Site Scripting in savetemplate.php, deletetask.php, edittask.php, savetask.php and saveworkflow.php [Impact: 3/5]\n\n\nFollow a trace to reach the vulnerable code. \n\n\nFile: \\modules\\com_vtiger_workflow\\savetemplate.php\n45: vtSaveWorkflowTemplate($adb, $_REQUEST);\n... \n37: $returnUrl = $request[\u0027return_url\u0027];\n... \n40: window.location=\"\u003c?php echo $returnUrl?\u003e\";\n\n\nThe variable \u0027return_url\u0027 isn\u0027t correctly validated before to be printed in the page. \n\n\nA test request is: /index.php?module=com_vtiger_workflow\u0026action=savetemplate\u0026return_url=\"\u003e\u003cscript\u003ealert(\u0027xss\u0027);\u003c/script\u003e\n\n\nIII. * Report Timeline *\n========================\n\n\n26 October 2013 - First contact\n29 October 2013 - Fix announced on the new version\n10 December 2013 - Fix release with the new version\n\n\nIV. * About Sojobo *\n====================\nSojobo allows you to find security vulnerabilities in your PHP web application source code before others do. \nBy using the state of the art techniques Sojobo is able to identify the most critical vulnerabilities in your code \nand limit the number of false positives",
"sources": [
{
"db": "NVD",
"id": "CVE-2013-7326"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006053"
},
{
"db": "CNNVD",
"id": "CNNVD-201312-258"
},
{
"db": "BID",
"id": "64236"
},
{
"db": "VULHUB",
"id": "VHN-67328"
},
{
"db": "PACKETSTORM",
"id": "124402"
}
],
"trust": 2.61
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2013-7326",
"trust": 2.8
},
{
"db": "BID",
"id": "64236",
"trust": 2.0
},
{
"db": "PACKETSTORM",
"id": "124402",
"trust": 1.8
},
{
"db": "OSVDB",
"id": "100897",
"trust": 1.7
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006053",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201402-213",
"trust": 0.7
},
{
"db": "CNNVD",
"id": "CNNVD-201312-258",
"trust": 0.6
},
{
"db": "XF",
"id": "89662",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20131211 [SOJOBO-ADV-13-05] - VTIGER 5.4.0 REFLECTED CROSS SITE SCRIPTING",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-67328",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-67328"
},
{
"db": "BID",
"id": "64236"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006053"
},
{
"db": "PACKETSTORM",
"id": "124402"
},
{
"db": "CNNVD",
"id": "CNNVD-201312-258"
},
{
"db": "CNNVD",
"id": "CNNVD-201402-213"
},
{
"db": "NVD",
"id": "CVE-2013-7326"
}
]
},
"id": "VAR-201402-0420",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-67328"
}
],
"trust": 0.62916664
},
"last_update_date": "2024-02-14T23:01:32.535000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "https://www.vtiger.com/crm/"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-006053"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-67328"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006053"
},
{
"db": "NVD",
"id": "CVE-2013-7326"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "http://www.enkomio.com/advisory/sojobo-adv-13-05"
},
{
"trust": 1.7,
"url": "http://www.securityfocus.com/bid/64236"
},
{
"trust": 1.7,
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-12/0052.html"
},
{
"trust": 1.7,
"url": "http://packetstormsecurity.com/files/124402"
},
{
"trust": 1.7,
"url": "http://osvdb.org/100897"
},
{
"trust": 1.1,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89662"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-7326"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-7326"
},
{
"trust": 0.6,
"url": "http://xforce.iss.net/xforce/xfdb/89662"
},
{
"trust": 0.3,
"url": "http://sourceforge.net/projects/vtigercrm/files/vtiger%20crm%205.1.0/"
},
{
"trust": 0.1,
"url": "http://www.enkomio.com/advisories)"
},
{
"trust": 0.1,
"url": "https://www.vtiger.com/"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-67328"
},
{
"db": "BID",
"id": "64236"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006053"
},
{
"db": "PACKETSTORM",
"id": "124402"
},
{
"db": "CNNVD",
"id": "CNNVD-201312-258"
},
{
"db": "CNNVD",
"id": "CNNVD-201402-213"
},
{
"db": "NVD",
"id": "CVE-2013-7326"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-67328"
},
{
"db": "BID",
"id": "64236"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006053"
},
{
"db": "PACKETSTORM",
"id": "124402"
},
{
"db": "CNNVD",
"id": "CNNVD-201312-258"
},
{
"db": "CNNVD",
"id": "CNNVD-201402-213"
},
{
"db": "NVD",
"id": "CVE-2013-7326"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-02-14T00:00:00",
"db": "VULHUB",
"id": "VHN-67328"
},
{
"date": "2013-12-11T00:00:00",
"db": "BID",
"id": "64236"
},
{
"date": "2014-02-19T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-006053"
},
{
"date": "2013-12-12T04:41:27",
"db": "PACKETSTORM",
"id": "124402"
},
{
"date": "2013-12-13T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201312-258"
},
{
"date": "2014-02-18T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201402-213"
},
{
"date": "2014-02-14T19:55:26.717000",
"db": "NVD",
"id": "CVE-2013-7326"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-08-29T00:00:00",
"db": "VULHUB",
"id": "VHN-67328"
},
{
"date": "2014-02-18T15:27:00",
"db": "BID",
"id": "64236"
},
{
"date": "2014-02-19T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-006053"
},
{
"date": "2013-12-13T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201312-258"
},
{
"date": "2014-02-18T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201402-213"
},
{
"date": "2024-02-14T01:17:43.863000",
"db": "NVD",
"id": "CVE-2013-7326"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201312-258"
},
{
"db": "CNNVD",
"id": "CNNVD-201402-213"
}
],
"trust": 1.2
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "vTiger CRM Vulnerable to cross-site scripting",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-006053"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "xss",
"sources": [
{
"db": "PACKETSTORM",
"id": "124402"
},
{
"db": "CNNVD",
"id": "CNNVD-201312-258"
},
{
"db": "CNNVD",
"id": "CNNVD-201402-213"
}
],
"trust": 1.3
}
}
VAR-200808-0340
Vulnerability from variot - Updated: 2024-02-13 23:03Vtiger CRM before 5.0.4 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read mail merge templates via a direct request to the wordtemplatedownload directory. vtiger CRM is prone to an information-disclosure vulnerability because the application fails to properly sanitize user-supplied input. A remote attacker may exploit this vulnerability to retrieve arbitrary files that may contain potentially sensitive information. Information harvested may be used in further attacks. This issue affects versions prior to vtiger CRM 5.0.4 RC. Vtiger CRM is an open source web-based customer relationship management system (CRM) based on Sales Force Automation (SFA).
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched.
Download and test it today: https://psi.secunia.com/
Read more about this new version: https://psi.secunia.com/?page=changelog
TITLE: vtiger CRM File Disclosure Vulnerability
SECUNIA ADVISORY ID: SA28370
VERIFY ADVISORY: http://secunia.com/advisories/28370/
CRITICAL: Moderately critical
IMPACT: Exposure of sensitive information
WHERE:
From remote
SOFTWARE: vtiger CRM 5.x http://secunia.com/product/14762/
DESCRIPTION: A vulnerability has been reported in vtiger CRM, which can be exploited by malicious people to disclose potentially sensitive information.
The vulnerability is caused due to the application not correctly restricting access to e.g. the /test/wordtemplatedownload directory, which can be exploited to list and download directory contents.
SOLUTION: Restrict access to affected directories (e.g. via ".htaccess"). Renaming this file to ".htaccess" prohibits the listing of directory content.
PROVIDED AND/OR DISCOVERED BY: Reported in a bug by "pieper".
ORIGINAL ADVISORY: http://sourceforge.net/project/shownotes.php?release_id=567189
Bug #2107: http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2107
About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.
Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Show details on source website
{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200808-0340",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "crm",
"scope": "lte",
"trust": 1.0,
"vendor": "vtiger",
"version": "5.0.3"
},
{
"model": "crm",
"scope": "eq",
"trust": 0.9,
"vendor": "vtiger",
"version": "5.0.3"
},
{
"model": "crm",
"scope": "lt",
"trust": 0.8,
"vendor": "vtiger",
"version": "5.0.4"
},
{
"model": "crm",
"scope": "eq",
"trust": 0.3,
"vendor": "vtiger",
"version": "4.2.4"
},
{
"model": "crm",
"scope": "eq",
"trust": 0.3,
"vendor": "vtiger",
"version": "4.2"
},
{
"model": "crm rc",
"scope": "ne",
"trust": 0.3,
"vendor": "vtiger",
"version": "5.0.4"
}
],
"sources": [
{
"db": "BID",
"id": "27228"
},
{
"db": "JVNDB",
"id": "JVNDB-2006-003712"
},
{
"db": "CNNVD",
"id": "CNNVD-200808-046"
},
{
"db": "NVD",
"id": "CVE-2008-3458"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "5.0.3",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2008-3458"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "pieper is credited with discovering this issue.",
"sources": [
{
"db": "BID",
"id": "27228"
},
{
"db": "CNNVD",
"id": "CNNVD-200808-046"
}
],
"trust": 0.9
},
"cve": "CVE-2008-3458",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 5.0,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2008-3458",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "VHN-33583",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2008-3458",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-200808-046",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-33583",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2008-3458",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-33583"
},
{
"db": "VULMON",
"id": "CVE-2008-3458"
},
{
"db": "JVNDB",
"id": "JVNDB-2006-003712"
},
{
"db": "CNNVD",
"id": "CNNVD-200808-046"
},
{
"db": "NVD",
"id": "CVE-2008-3458"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Vtiger CRM before 5.0.4 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read mail merge templates via a direct request to the wordtemplatedownload directory. vtiger CRM is prone to an information-disclosure vulnerability because the application fails to properly sanitize user-supplied input. \nA remote attacker may exploit this vulnerability to retrieve arbitrary files that may contain potentially sensitive information. Information harvested may be used in further attacks. \nThis issue affects versions prior to vtiger CRM 5.0.4 RC. Vtiger CRM is an open source web-based customer relationship management system (CRM) based on Sales Force Automation (SFA). \n\n----------------------------------------------------------------------\n\nA new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI\nhas been released. The new version includes many new and advanced\nfeatures, which makes it even easier to stay patched. \n\nDownload and test it today:\nhttps://psi.secunia.com/\n\nRead more about this new version:\nhttps://psi.secunia.com/?page=changelog\n\n----------------------------------------------------------------------\n\nTITLE:\nvtiger CRM File Disclosure Vulnerability\n\nSECUNIA ADVISORY ID:\nSA28370\n\nVERIFY ADVISORY:\nhttp://secunia.com/advisories/28370/\n\nCRITICAL:\nModerately critical\n\nIMPACT:\nExposure of sensitive information\n\nWHERE:\n\u003eFrom remote\n\nSOFTWARE:\nvtiger CRM 5.x\nhttp://secunia.com/product/14762/\n\nDESCRIPTION:\nA vulnerability has been reported in vtiger CRM, which can be\nexploited by malicious people to disclose potentially sensitive\ninformation. \n\nThe vulnerability is caused due to the application not correctly\nrestricting access to e.g. the /test/wordtemplatedownload directory,\nwhich can be exploited to list and download directory contents. \n\nSOLUTION:\nRestrict access to affected directories (e.g. via \".htaccess\"). Renaming\nthis file to \".htaccess\" prohibits the listing of directory content. \n\nPROVIDED AND/OR DISCOVERED BY:\nReported in a bug by \"pieper\". \n\nORIGINAL ADVISORY:\nhttp://sourceforge.net/project/shownotes.php?release_id=567189\n\nBug #2107:\nhttp://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2107\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\neverybody keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2008-3458"
},
{
"db": "JVNDB",
"id": "JVNDB-2006-003712"
},
{
"db": "BID",
"id": "27228"
},
{
"db": "VULHUB",
"id": "VHN-33583"
},
{
"db": "VULMON",
"id": "CVE-2008-3458"
},
{
"db": "PACKETSTORM",
"id": "62490"
}
],
"trust": 2.16
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2008-3458",
"trust": 2.9
},
{
"db": "BID",
"id": "27228",
"trust": 2.1
},
{
"db": "SECUNIA",
"id": "28370",
"trust": 1.9
},
{
"db": "OSVDB",
"id": "40218",
"trust": 1.8
},
{
"db": "JVNDB",
"id": "JVNDB-2006-003712",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-200808-046",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-33583",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2008-3458",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "62490",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-33583"
},
{
"db": "VULMON",
"id": "CVE-2008-3458"
},
{
"db": "BID",
"id": "27228"
},
{
"db": "JVNDB",
"id": "JVNDB-2006-003712"
},
{
"db": "PACKETSTORM",
"id": "62490"
},
{
"db": "CNNVD",
"id": "CNNVD-200808-046"
},
{
"db": "NVD",
"id": "CVE-2008-3458"
}
]
},
"id": "VAR-200808-0340",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-33583"
}
],
"trust": 0.62916664
},
"last_update_date": "2024-02-13T23:03:00.705000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "2107",
"trust": 0.8,
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2107"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2006-003712"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-200",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-33583"
},
{
"db": "JVNDB",
"id": "JVNDB-2006-003712"
},
{
"db": "NVD",
"id": "CVE-2008-3458"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.2,
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2107"
},
{
"trust": 1.9,
"url": "http://sourceforge.net/project/shownotes.php?release_id=567189"
},
{
"trust": 1.8,
"url": "http://www.securityfocus.com/bid/27228"
},
{
"trust": 1.8,
"url": "http://wiki.vtiger.com/index.php/vtiger_crm_5.0.4_-_release_notes"
},
{
"trust": 1.8,
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/11811"
},
{
"trust": 1.8,
"url": "http://www.osvdb.org/40218"
},
{
"trust": 1.8,
"url": "http://secunia.com/advisories/28370"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-3458"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2008-3458"
},
{
"trust": 0.3,
"url": "http://www.vtiger.com/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/200.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/28370/"
},
{
"trust": 0.1,
"url": "http://secunia.com/secunia_security_advisories/"
},
{
"trust": 0.1,
"url": "https://psi.secunia.com/?page=changelog"
},
{
"trust": 0.1,
"url": "https://psi.secunia.com/"
},
{
"trust": 0.1,
"url": "http://secunia.com/product/14762/"
},
{
"trust": 0.1,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.1,
"url": "http://secunia.com/about_secunia_advisories/"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-33583"
},
{
"db": "VULMON",
"id": "CVE-2008-3458"
},
{
"db": "BID",
"id": "27228"
},
{
"db": "JVNDB",
"id": "JVNDB-2006-003712"
},
{
"db": "PACKETSTORM",
"id": "62490"
},
{
"db": "CNNVD",
"id": "CNNVD-200808-046"
},
{
"db": "NVD",
"id": "CVE-2008-3458"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-33583"
},
{
"db": "VULMON",
"id": "CVE-2008-3458"
},
{
"db": "BID",
"id": "27228"
},
{
"db": "JVNDB",
"id": "JVNDB-2006-003712"
},
{
"db": "PACKETSTORM",
"id": "62490"
},
{
"db": "CNNVD",
"id": "CNNVD-200808-046"
},
{
"db": "NVD",
"id": "CVE-2008-3458"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2008-08-04T00:00:00",
"db": "VULHUB",
"id": "VHN-33583"
},
{
"date": "2008-08-04T00:00:00",
"db": "VULMON",
"id": "CVE-2008-3458"
},
{
"date": "2008-01-10T00:00:00",
"db": "BID",
"id": "27228"
},
{
"date": "2012-12-20T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2006-003712"
},
{
"date": "2008-01-10T22:33:57",
"db": "PACKETSTORM",
"id": "62490"
},
{
"date": "2008-08-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200808-046"
},
{
"date": "2008-08-04T19:41:00",
"db": "NVD",
"id": "CVE-2008-3458"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-11-22T00:00:00",
"db": "VULHUB",
"id": "VHN-33583"
},
{
"date": "2017-11-22T00:00:00",
"db": "VULMON",
"id": "CVE-2008-3458"
},
{
"date": "2015-05-07T17:33:00",
"db": "BID",
"id": "27228"
},
{
"date": "2012-12-20T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2006-003712"
},
{
"date": "2022-03-10T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200808-046"
},
{
"date": "2017-11-22T17:25:31.897000",
"db": "NVD",
"id": "CVE-2008-3458"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200808-046"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Vtiger CRM Vulnerable to reading email merge templates",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2006-003712"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "information disclosure",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200808-046"
}
],
"trust": 0.6
}
}