CVE-2013-3215 — CVSS 9.8 (critical): vtiger CRM 5.4.0 and earlier contain an Authentication Bypass Vulnerability due to improper authentication validation in the…
CVE-2024-44777 — CVSS 9.6 (critical): A reflected cross-site scripting (XSS) vulnerability in the tag parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute…
CVE-2024-44779 — CVSS 9.6 (critical): A reflected cross-site scripting (XSS) vulnerability in the viewname parameter in the index page of vTiger CRM 7.4.0 allows attackers to…
CVE-2024-44778 — CVSS 9.6 (critical): A reflected cross-site scripting (XSS) vulnerability in the parent parameter in the index page of vTiger CRM 7.4.0 allows attackers to…
CVE-2009-3258 — CVSS 9.0 (critical): vtiger CRM before 5.1.0 allows remote authenticated users, with certain View privileges, to delete (1) attachments, (2) reports, (3)…
CVE-2009-3250 — CVSS 9.0 (critical): The saveForwardAttachments procedure in the Compose Mail functionality in vtiger CRM 5.0.4 allows remote authenticated users to execute…
CVE-2023-38891 — CVSS 8.8 (high): SQL injection vulnerability in Vtiger CRM v.7.5.0 allows a remote authenticated attacker to escalate privileges via the getQueryColumnsList…
CVE-2019-19202 — CVSS 8.8 (high): In Vtiger 7.x before 7.2.0, the My Preferences saving functionality allows a user without administrative privileges to change his own role…
CVE-2019-11057 — CVSS 8.8 (high): SQL injection vulnerability in Vtiger CRM before 7.1.0 hotfix3 allows authenticated users to execute arbitrary SQL commands.
CVE-2016-10754 — CVSS 8.8 (high): modules/Calendar/Activity.php in Vtiger CRM 6.5.0 allows SQL injection via the contactidlist parameter.
CVE-2015-6000 — CVSS 8.8 (high): Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDeta…
CVE-2007-3599 — CVSS 8.5 (high): vtiger CRM before 5.0.3 allows remote authenticated users to import and export the information for a contact even when they only have the…
CVE-2024-42995 — CVSS 8.3 (high): VTiger CRM <= 8.1.0 does not correctly check user privileges. A low-privileged user can interact directly with the "Migration"…
CVE-2016-4834 — CVSS 8.1 (high): modules/Users/actions/Save.php in Vtiger CRM 6.4.0 and earlier does not properly restrict user-save actions, which allows remote…
CVE-2013-3212 — CVSS 8.1 (high): vtiger CRM 5.4.0 and earlier contain local file-include vulnerabilities in 'customerportal.php' which allows remote attackers to view files…
CVE-2023-46304 — CVSS 8.1 (high): modules/Users/models/Module.php in Vtiger CRM 7.5.0 allows a remote authenticated attacker to run arbitrary PHP code because an unprotected…
CVE-2009-3249 — CVSS 7.5 (high): Multiple directory traversal vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to include and execute arbitrary local files via a…
CVE-2005-3819 — CVSS 7.5 (high): Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary SQL commands and bypass…
CVE-2013-3213 — CVSS 7.5 (high): Multiple SQL injection vulnerabilities in vTiger CRM 5.0.0 through 5.4.0 allow remote attackers to execute arbitrary SQL commands via the…
CVE-2005-3823 — CVSS 7.5 (high): The Users module in vTiger CRM 4.2 and earlier allows remote attackers to execute arbitrary PHP code via an arbitrary file in the…
CVE-2011-4559 — CVSS 7.5 (high): SQL injection vulnerability in the Calendar module in vTiger CRM 5.2.1 and earlier allows remote attackers to execute arbitrary SQL…
CVE-2005-3822 — CVSS 7.5 (high): Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to execute arbitrary SQL commands via the (1)…
CVE-2006-4617 — CVSS 7.5 (high): Unrestricted file upload vulnerability in fileupload.html in vtiger CRM 4.2.4, and possibly earlier versions, allows remote attackers to…
CVE-2006-5289 — CVSS 7.5 (high): Multiple PHP remote file inclusion vulnerabilities in Vtiger CRM 4.2 and earlier allow remote attackers to execute arbitrary PHP code via a…
CVE-2006-4588 — CVSS 7.5 (high): vtiger CRM 4.2.4, and possibly earlier, allows remote attackers to bypass authentication and access administrative modules via a direct…
CVE-2016-1713 — CVSS 7.3 (high): Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDeta…
CVE-2024-42994 — CVSS 7.2 (high): VTiger CRM <= 8.1.0 does not properly sanitize user input before using it in a SQL statement, leading to a SQL Injection in the…
CVE-2019-5009 — CVSS 7.2 (high): Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension "php3" in the logo upload field, if the uploaded file is in PNG…
CVE-2025-45753 — CVSS 7.2 (high): A vulnerability in Vtiger CRM Open Source Edition v8.3.0 allows an attacker with admin privileges to execute arbitrary PHP code by…
CVE-2006-4587 — CVSS 6.8 (medium): Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM 4.2.4, and possibly earlier, allow remote attackers to inject arbitrary…
CVE-2009-3248 — CVSS 6.8 (medium): Cross-site request forgery (CSRF) vulnerability in the RSS module in vtiger CRM 5.0.4 allows remote attackers to hijack the authentication…
CVE-2010-3910 — CVSS 6.8 (medium): Multiple directory traversal vulnerabilities in the return_application_language function in include/utils/utils.php in vtiger CRM before…
CVE-2007-3616 — CVSS 6.5 (medium): index.php in vtiger CRM before 5.0.3 allows remote authenticated users to perform administrative changes to arbitrary profile settings via…
CVE-2007-3603 — CVSS 6.5 (medium): SQL injection vulnerability in the dashboard (include/utils/SearchUtils.php) in vtiger CRM before 5.0.3 allows remote authenticated users…
CVE-2013-5091 — CVSS 6.5 (medium): SQL injection vulnerability in CalendarCommon.php in vTiger CRM 5.4.0 and possibly earlier allows remote authenticated users to execute…
CVE-2020-19363 — CVSS 6.5 (medium): Vtiger CRM v7.2.0 allows an attacker to display hidden files, list directories by using /libraries and /layout directories.
CVE-2005-3820 — CVSS 6.4 (medium): Multiple directory traversal vulnerabilities in index.php in vTiger CRM 4.2 and earlier allow remote attackers to read or include arbitrary…
CVE-2014-2269 — CVSS 6.4 (medium): modules/Users/ForgotPassword.php in vTiger 6.0 before Security Patch 2 allows remote attackers to reset the password for arbitrary users…
CVE-2018-8047 — CVSS 6.1 (medium): vtiger CRM 7.0.1 is affected by one reflected Cross-Site Scripting (XSS) vulnerability affecting version 7.0.1 and probably prior versions…
CVE-2024-44776 — CVSS 6.1 (medium): An Open Redirect vulnerability in the page parameter of vTiger CRM v7.4.0 allows attackers to redirect users to a malicious site via a…
CVE-2024-54687 — CVSS 6.1 (medium): Vtiger CRM v.6.1 and before is vulnerable to Cross Site Scripting (XSS) via the Documents module and function uploadAndSaveFile in…
CVE-2020-19362 — CVSS 6.1 (medium): Reflected XSS in Vtiger CRM v7.2.0 in vtigercrm/index.php? through the view parameter can result in an attacker performing malicious…
CVE-2025-45755 — CVSS 6.1 (medium): A Stored Cross-Site Scripting (XSS) vulnerability exists in Vtiger CRM Open Source Edition v8.3.0, exploitable via the Services Import…
CVE-2010-3909 — CVSS 6.0 (medium): Incomplete blacklist vulnerability in config.template.php in vtiger CRM before 5.2.1 allows remote authenticated users to execute arbitrary…
CVE-2007-3602 — CVSS 5.5 (medium): The SOAP webservice in vtiger CRM before 5.0.3 does not ensure that authenticated accounts are active, which allows remote authenticated…
CVE-2007-3598 — CVSS 5.5 (medium): index.php in vtiger CRM before 5.0.3 allows remote authenticated users to obtain all users' names and e-mail addresses, and possibly change…
CVE-2024-48119 — CVSS 5.4 (medium): Vtiger CRM v8.2.0 has a HTML Injection vulnerability in the module parameter. Authenticated users can inject arbitrary HTML.
CVE-2022-38335 — CVSS 5.4 (medium): Vtiger CRM v7.4.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the e-mail template modules.
CVE-2014-2268 — CVSS 5.0 (medium): views/Index.php in the Install module in vTiger 6.0 before Security Patch 2 does not properly restrict access, which allows remote…
CVE-2008-3458 — CVSS 5.0 (medium): Vtiger CRM before 5.0.4 stores sensitive information under the web root with insufficient access control, which allows remote attackers to…
CVE-2012-4867 — CVSS 5.0 (medium): Directory traversal vulnerability in modules/com_vtiger_workflow/sortfieldsjson.php in vtiger CRM 5.1.0 allows remote attackers to read…
CVE-2005-3824 — CVSS 5.0 (medium): The uploads module in vTiger CRM 4.2 and earlier allows remote attackers to upload arbitrary files, such as PHP files, via the add2db…
CVE-2011-4680 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in the customer portal in vtiger CRM before 5.2.0 allow remote attackers to inject…
CVE-2011-4670 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 5.2.1 and earlier allow remote attackers to inject arbitrary web script…
CVE-2010-3911 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM before 5.2.1 allow remote attackers to inject arbitrary web script or…
CVE-2013-7326 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in vTiger CRM 5.4.0 allows remote attackers to inject arbitrary web script or HTML via the (1)…
CVE-2009-3247 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in the Activities module in vtiger CRM 5.0.4 allows remote attackers to inject arbitrary web…
CVE-2008-3101 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to inject arbitrary web script or HTML via…
CVE-2005-3818 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary web script or…
CVE-2005-3821 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in vTiger CRM 4.2 and earlier allows remote attackers to inject arbitrary web script or HTML via…
CVE-2025-1618 — CVSS 4.3 (medium): A vulnerability has been found in vTiger CRM 6.4.0/6.5.0 and classified as problematic. This vulnerability affects unknown code of the file…
CVE-2007-3600 — CVSS 4.0 (medium): WordPlugin in the wordintegration component in vtiger CRM before 5.0.3 allows remote authenticated users to bypass field level security…
CVE-2007-3617 — CVSS 4.0 (medium): The report module in vtiger CRM before 5.0.3 does not properly apply security rules, which allows remote authenticated users to read…
CVE-2014-1222 — CVSS 4.0 (medium): Directory traversal vulnerability in kcfinder/browse.php in Vtiger CRM before 6.0.0 Security patch 1 allows remote authenticated users to…
CVE-2009-3251 — CVSS 4.0 (medium): include/utils/ListViewUtils.php in vtiger CRM before 5.1.0 allows remote authenticated users to bypass intended access restrictions and…
CVE-2007-3604 — CVSS 4.0 (medium): vtiger CRM before 5.0.3 allows remote authenticated users with access to the Analytics DashBoard menu to bypass data restrictions and read…
CVE-2011-4679 — CVSS 4.0 (medium): vtiger CRM before 5.3.0 does not properly recognize the disabled status of a field in the Leads module, which allows remote authenticated…
CVE-2009-3257 — CVSS 3.6 (low): vtiger CRM before 5.1.0 allows remote authenticated users to bypass the permissions on the (1) Account Billing Address and (2) Shipping…
CVE-2007-3601 — CVSS 2.1 (low): vtiger CRM before 5.0.3, when a migrated build is used, allows remote authenticated users to read certain other users' calendar activities…