Search

Find a vulnerability

Search criteria

    88 vulnerabilities found for CRM by vTiger

    VAR-202505-3051

    Vulnerability from variot - Updated: 2025-06-15 23:21

    A vulnerability in Vtiger CRM Open Source Edition v8.3.0 allows an attacker with admin privileges to execute arbitrary PHP code by exploiting the ZIP import functionality in the Module Import feature. Vtiger of Vtiger CRM There is a code injection vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202505-3051",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.8,
            "vendor": "vtiger",
            "version": "8.3.0"
          },
          {
            "model": "crm",
            "scope": null,
            "trust": 0.8,
            "vendor": "vtiger",
            "version": null
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "vtiger",
            "version": null
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2025-006737"
          },
          {
            "db": "NVD",
            "id": "CVE-2025-45753"
          }
        ]
      },
      "cve": "CVE-2025-45753",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 1.2,
                "id": "CVE-2025-45753",
                "impactScore": 5.9,
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "trust": 1.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "author": "OTHER",
                "availabilityImpact": "High",
                "baseScore": 7.2,
                "baseSeverity": "High",
                "confidentialityImpact": "High",
                "exploitabilityScore": null,
                "id": "JVNDB-2025-006737",
                "impactScore": null,
                "integrityImpact": "High",
                "privilegesRequired": "High",
                "scope": "Unchanged",
                "trust": 0.8,
                "userInteraction": "None",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
                "id": "CVE-2025-45753",
                "trust": 1.0,
                "value": "HIGH"
              },
              {
                "author": "OTHER",
                "id": "JVNDB-2025-006737",
                "trust": 0.8,
                "value": "High"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2025-006737"
          },
          {
            "db": "NVD",
            "id": "CVE-2025-45753"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "A vulnerability in Vtiger CRM Open Source Edition v8.3.0 allows an attacker with admin privileges to execute arbitrary PHP code by exploiting the ZIP import functionality in the Module Import feature. Vtiger of Vtiger CRM There is a code injection vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2025-45753"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2025-006737"
          }
        ],
        "trust": 1.62
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2025-45753",
            "trust": 2.6
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2025-006737",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2025-006737"
          },
          {
            "db": "NVD",
            "id": "CVE-2025-45753"
          }
        ]
      },
      "id": "VAR-202505-3051",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 0.52916664
      },
      "last_update_date": "2025-06-15T23:21:34.389000Z",
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-94",
            "trust": 1.0
          },
          {
            "problemtype": "Code injection (CWE-94) [ others ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2025-006737"
          },
          {
            "db": "NVD",
            "id": "CVE-2025-45753"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 1.8,
            "url": "https://www.simonjuguna.com/cve-2025-45753-authenticated-remote-code-execution-vulnerability-in-vtiger-open-source-edition-v8-3-0/"
          },
          {
            "trust": 0.8,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2025-45753"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2025-006737"
          },
          {
            "db": "NVD",
            "id": "CVE-2025-45753"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2025-006737"
          },
          {
            "db": "NVD",
            "id": "CVE-2025-45753"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2025-06-11T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2025-006737"
          },
          {
            "date": "2025-05-21T21:16:03.403000",
            "db": "NVD",
            "id": "CVE-2025-45753"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2025-06-11T07:59:00",
            "db": "JVNDB",
            "id": "JVNDB-2025-006737"
          },
          {
            "date": "2025-06-10T19:34:41.410000",
            "db": "NVD",
            "id": "CVE-2025-45753"
          }
        ]
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Vtiger\u00a0 of \u00a0Vtiger\u00a0CRM\u00a0 Code injection vulnerability in",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2025-006737"
          }
        ],
        "trust": 0.8
      }
    }

    VAR-202505-3447

    Vulnerability from variot - Updated: 2025-06-12 23:22

    A Stored Cross-Site Scripting (XSS) vulnerability exists in Vtiger CRM Open Source Edition v8.3.0, exploitable via the Services Import feature. An attacker can craft a malicious CSV file containing an XSS payload, mapped to the Service Name field. When the file is uploaded, the application improperly sanitizes user input, leading to persistent script execution

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202505-3447",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.8,
            "vendor": "vtiger",
            "version": "8.3.0"
          },
          {
            "model": "crm",
            "scope": null,
            "trust": 0.8,
            "vendor": "vtiger",
            "version": null
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "vtiger",
            "version": null
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2025-006629"
          },
          {
            "db": "NVD",
            "id": "CVE-2025-45755"
          }
        ]
      },
      "cve": "CVE-2025-45755",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "exploitabilityScore": 2.8,
                "id": "CVE-2025-45755",
                "impactScore": 2.7,
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "trust": 1.0,
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "author": "OTHER",
                "availabilityImpact": "None",
                "baseScore": 6.1,
                "baseSeverity": "Medium",
                "confidentialityImpact": "Low",
                "exploitabilityScore": null,
                "id": "JVNDB-2025-006629",
                "impactScore": null,
                "integrityImpact": "Low",
                "privilegesRequired": "None",
                "scope": "Changed",
                "trust": 0.8,
                "userInteraction": "Required",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
                "id": "CVE-2025-45755",
                "trust": 1.0,
                "value": "MEDIUM"
              },
              {
                "author": "OTHER",
                "id": "JVNDB-2025-006629",
                "trust": 0.8,
                "value": "Medium"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2025-006629"
          },
          {
            "db": "NVD",
            "id": "CVE-2025-45755"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "A Stored Cross-Site Scripting (XSS) vulnerability exists in Vtiger CRM Open Source Edition v8.3.0, exploitable via the Services Import feature. An attacker can craft a malicious CSV file containing an XSS payload, mapped to the Service Name field. When the file is uploaded, the application improperly sanitizes user input, leading to persistent script execution",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2025-45755"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2025-006629"
          }
        ],
        "trust": 1.62
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2025-45755",
            "trust": 2.6
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2025-006629",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2025-006629"
          },
          {
            "db": "NVD",
            "id": "CVE-2025-45755"
          }
        ]
      },
      "id": "VAR-202505-3447",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 0.52916664
      },
      "last_update_date": "2025-06-12T23:22:22.544000Z",
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-79",
            "trust": 1.0
          },
          {
            "problemtype": "Cross-site scripting (CWE-79) [ others ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2025-006629"
          },
          {
            "db": "NVD",
            "id": "CVE-2025-45755"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 1.8,
            "url": "https://www.simonjuguna.com/cve-2025-45755-stored-cross-site-scripting-xss-vulnerability-in-vtiger-open-source-edition-v8-3-0/"
          },
          {
            "trust": 1.8,
            "url": "https://www.vtiger.com/open-source-crm/"
          },
          {
            "trust": 0.8,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2025-45755"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2025-006629"
          },
          {
            "db": "NVD",
            "id": "CVE-2025-45755"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2025-006629"
          },
          {
            "db": "NVD",
            "id": "CVE-2025-45755"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2025-06-11T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2025-006629"
          },
          {
            "date": "2025-05-21T20:15:32.227000",
            "db": "NVD",
            "id": "CVE-2025-45755"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2025-06-11T02:01:00",
            "db": "JVNDB",
            "id": "JVNDB-2025-006629"
          },
          {
            "date": "2025-06-10T19:34:54.193000",
            "db": "NVD",
            "id": "CVE-2025-45755"
          }
        ]
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Vtiger\u00a0 of \u00a0Vtiger\u00a0CRM\u00a0 Cross-site scripting vulnerability in",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2025-006629"
          }
        ],
        "trust": 0.8
      }
    }

    VAR-202209-1780

    Vulnerability from variot - Updated: 2025-05-22 22:44

    Vtiger CRM v7.4.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the e-mail template modules

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202209-1780",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "crm",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "7.4.0"
          },
          {
            "model": "crm",
            "scope": "lte",
            "trust": 0.8,
            "vendor": "vtiger",
            "version": "7.4.0  and earlier"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "vtiger",
            "version": null
          },
          {
            "model": "crm",
            "scope": null,
            "trust": 0.8,
            "vendor": "vtiger",
            "version": null
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-017911"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-38335"
          }
        ]
      },
      "cve": "CVE-2022-38335",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "nvd@nist.gov",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "exploitabilityScore": 2.3,
                "id": "CVE-2022-38335",
                "impactScore": 2.7,
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "trust": 2.0,
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "author": "NVD",
                "availabilityImpact": "None",
                "baseScore": 5.4,
                "baseSeverity": "Medium",
                "confidentialityImpact": "Low",
                "exploitabilityScore": null,
                "id": "CVE-2022-38335",
                "impactScore": null,
                "integrityImpact": "Low",
                "privilegesRequired": "Low",
                "scope": "Changed",
                "trust": 0.8,
                "userInteraction": "Required",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2022-38335",
                "trust": 1.0,
                "value": "MEDIUM"
              },
              {
                "author": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
                "id": "CVE-2022-38335",
                "trust": 1.0,
                "value": "MEDIUM"
              },
              {
                "author": "NVD",
                "id": "CVE-2022-38335",
                "trust": 0.8,
                "value": "Medium"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-202209-2770",
                "trust": 0.6,
                "value": "MEDIUM"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-017911"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202209-2770"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-38335"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-38335"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Vtiger CRM v7.4.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the e-mail template modules",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-38335"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-017911"
          },
          {
            "db": "VULHUB",
            "id": "VHN-434134"
          }
        ],
        "trust": 1.71
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2022-38335",
            "trust": 3.3
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-017911",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202209-2770",
            "trust": 0.6
          },
          {
            "db": "VULHUB",
            "id": "VHN-434134",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-434134"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-017911"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202209-2770"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-38335"
          }
        ]
      },
      "id": "VAR-202209-1780",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-434134"
          }
        ],
        "trust": 0.62916664
      },
      "last_update_date": "2025-05-22T22:44:49.464000Z",
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-79",
            "trust": 1.1
          },
          {
            "problemtype": "Cross-site scripting (CWE-79) [NVD evaluation ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-434134"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-017911"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-38335"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.5,
            "url": "https://code.vtiger.com/vtiger/vtigercrm"
          },
          {
            "trust": 2.5,
            "url": "https://github.com/sbaresearch/advisories/tree/public/2022/sba-adv-20220328-01_vtiger_crm_stored_cross-site_scripting"
          },
          {
            "trust": 2.5,
            "url": "https://www.vtiger.com/"
          },
          {
            "trust": 0.8,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-38335"
          },
          {
            "trust": 0.6,
            "url": "https://vigilance.fr/vulnerability/vtiger-crm-cross-site-scripting-via-email-templates-module-39378"
          },
          {
            "trust": 0.6,
            "url": "https://cxsecurity.com/cveshow/cve-2022-38335/"
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-434134"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-017911"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202209-2770"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-38335"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULHUB",
            "id": "VHN-434134"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-017911"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202209-2770"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-38335"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2022-09-27T00:00:00",
            "db": "VULHUB",
            "id": "VHN-434134"
          },
          {
            "date": "2023-10-17T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2022-017911"
          },
          {
            "date": "2022-09-27T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202209-2770"
          },
          {
            "date": "2022-09-27T23:15:15.120000",
            "db": "NVD",
            "id": "CVE-2022-38335"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2022-09-29T00:00:00",
            "db": "VULHUB",
            "id": "VHN-434134"
          },
          {
            "date": "2023-10-17T08:04:00",
            "db": "JVNDB",
            "id": "JVNDB-2022-017911"
          },
          {
            "date": "2022-09-30T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202209-2770"
          },
          {
            "date": "2025-05-21T15:15:57.697000",
            "db": "NVD",
            "id": "CVE-2022-38335"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202209-2770"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Vtiger\u00a0 of \u00a0Vtiger\u00a0CRM\u00a0 Cross-site scripting vulnerability in",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-017911"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "XSS",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202209-2770"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-202408-1386

    Vulnerability from variot - Updated: 2025-05-01 23:37

    VTiger CRM <= 8.1.0 does not properly sanitize user input before using it in a SQL statement, leading to a SQL Injection in the "CompanyDetails" operation of the "MailManager" module. (DoS) It may be in a state

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202408-1386",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "crm",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "8.1.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "vtiger",
            "version": null
          },
          {
            "model": "crm",
            "scope": null,
            "trust": 0.8,
            "vendor": "vtiger",
            "version": null
          },
          {
            "model": "crm",
            "scope": "lte",
            "trust": 0.8,
            "vendor": "vtiger",
            "version": "8.1.0  and earlier"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-022952"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-42994"
          }
        ]
      },
      "cve": "CVE-2024-42994",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 1.2,
                "id": "CVE-2024-42994",
                "impactScore": 5.9,
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "trust": 1.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "author": "OTHER",
                "availabilityImpact": "High",
                "baseScore": 7.2,
                "baseSeverity": "High",
                "confidentialityImpact": "High",
                "exploitabilityScore": null,
                "id": "JVNDB-2024-022952",
                "impactScore": null,
                "integrityImpact": "High",
                "privilegesRequired": "High",
                "scope": "Unchanged",
                "trust": 0.8,
                "userInteraction": "None",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
                "id": "CVE-2024-42994",
                "trust": 1.0,
                "value": "HIGH"
              },
              {
                "author": "OTHER",
                "id": "JVNDB-2024-022952",
                "trust": 0.8,
                "value": "High"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-022952"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-42994"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "VTiger CRM \u003c= 8.1.0 does not properly sanitize user input before using it in a SQL statement, leading to a SQL Injection in the \"CompanyDetails\" operation of the \"MailManager\" module. (DoS) It may be in a state",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2024-42994"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-022952"
          }
        ],
        "trust": 1.62
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2024-42994",
            "trust": 2.6
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-022952",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-022952"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-42994"
          }
        ]
      },
      "id": "VAR-202408-1386",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 0.52916664
      },
      "last_update_date": "2025-05-01T23:37:22.036000Z",
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-89",
            "trust": 1.0
          },
          {
            "problemtype": "SQL injection (CWE-89) [ others ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-022952"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-42994"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 1.8,
            "url": "https://www.shielder.com/advisories/vtiger-mailmanager-sqli/"
          },
          {
            "trust": 0.8,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2024-42994"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-022952"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-42994"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-022952"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-42994"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2025-04-30T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2024-022952"
          },
          {
            "date": "2024-08-16T17:15:15.153000",
            "db": "NVD",
            "id": "CVE-2024-42994"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2025-04-30T06:39:00",
            "db": "JVNDB",
            "id": "JVNDB-2024-022952"
          },
          {
            "date": "2025-04-28T14:10:13.853000",
            "db": "NVD",
            "id": "CVE-2024-42994"
          }
        ]
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Vtiger\u00a0 of \u00a0Vtiger\u00a0CRM\u00a0 In \u00a0SQL\u00a0 Injection vulnerability",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-022952"
          }
        ],
        "trust": 0.8
      }
    }

    VAR-202408-1014

    Vulnerability from variot - Updated: 2025-05-01 23:35

    VTiger CRM <= 8.1.0 does not correctly check user privileges. A low-privileged user can interact directly with the "Migration" administrative module to disable arbitrary modules. Vtiger of Vtiger CRM Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202408-1014",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "crm",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "8.1.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "vtiger",
            "version": null
          },
          {
            "model": "crm",
            "scope": null,
            "trust": 0.8,
            "vendor": "vtiger",
            "version": null
          },
          {
            "model": "crm",
            "scope": "lte",
            "trust": 0.8,
            "vendor": "vtiger",
            "version": "8.1.0  and earlier"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-022974"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-42995"
          }
        ]
      },
      "cve": "CVE-2024-42995",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
                "availabilityImpact": "HIGH",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "exploitabilityScore": 2.8,
                "id": "CVE-2024-42995",
                "impactScore": 5.5,
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "trust": 1.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "author": "OTHER",
                "availabilityImpact": "High",
                "baseScore": 8.3,
                "baseSeverity": "High",
                "confidentialityImpact": "Low",
                "exploitabilityScore": null,
                "id": "JVNDB-2024-022974",
                "impactScore": null,
                "integrityImpact": "High",
                "privilegesRequired": "Low",
                "scope": "Unchanged",
                "trust": 0.8,
                "userInteraction": "None",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
                "id": "CVE-2024-42995",
                "trust": 1.0,
                "value": "HIGH"
              },
              {
                "author": "OTHER",
                "id": "JVNDB-2024-022974",
                "trust": 0.8,
                "value": "High"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-022974"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-42995"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "VTiger CRM \u003c= 8.1.0 does not correctly check user privileges. A low-privileged user can interact directly with the \"Migration\" administrative module to disable arbitrary modules. Vtiger of Vtiger CRM Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2024-42995"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-022974"
          }
        ],
        "trust": 1.62
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2024-42995",
            "trust": 2.6
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-022974",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-022974"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-42995"
          }
        ]
      },
      "id": "VAR-202408-1014",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 0.52916664
      },
      "last_update_date": "2025-05-01T23:35:37.694000Z",
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-269",
            "trust": 1.0
          },
          {
            "problemtype": "NVD-CWE-noinfo",
            "trust": 1.0
          },
          {
            "problemtype": "Improper authority management (CWE-269) [ others ]",
            "trust": 0.8
          },
          {
            "problemtype": " Lack of information (CWE-noinfo) [NVD evaluation ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-022974"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-42995"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 1.8,
            "url": "https://www.shielder.com/advisories/vtiger-migration-bac/"
          },
          {
            "trust": 0.8,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2024-42995"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-022974"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-42995"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-022974"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-42995"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2025-04-30T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2024-022974"
          },
          {
            "date": "2024-08-16T17:15:15.273000",
            "db": "NVD",
            "id": "CVE-2024-42995"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2025-04-30T07:03:00",
            "db": "JVNDB",
            "id": "JVNDB-2024-022974"
          },
          {
            "date": "2025-04-28T14:09:10.273000",
            "db": "NVD",
            "id": "CVE-2024-42995"
          }
        ]
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Vtiger\u00a0 of \u00a0Vtiger\u00a0CRM\u00a0 Vulnerability in",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-022974"
          }
        ],
        "trust": 0.8
      }
    }

    VAR-202404-2329

    Vulnerability from variot - Updated: 2025-04-25 01:55

    modules/Users/models/Module.php in Vtiger CRM 7.5.0 allows a remote authenticated attacker to run arbitrary PHP code because an unprotected endpoint allows them to write this code to the config.inc.php file (executed on every page load). Vtiger of Vtiger CRM There is an injection vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202404-2329",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.8,
            "vendor": "vtiger",
            "version": "7.5.0"
          },
          {
            "model": "crm",
            "scope": null,
            "trust": 0.8,
            "vendor": "vtiger",
            "version": null
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "vtiger",
            "version": null
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-028748"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-46304"
          }
        ]
      },
      "cve": "CVE-2023-46304",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [],
            "cvssV3": [
              {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "author": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
                "availabilityImpact": "HIGH",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 2.2,
                "id": "CVE-2023-46304",
                "impactScore": 5.9,
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 1.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              {
                "attackComplexity": "High",
                "attackVector": "Network",
                "author": "OTHER",
                "availabilityImpact": "High",
                "baseScore": 8.1,
                "baseSeverity": "High",
                "confidentialityImpact": "High",
                "exploitabilityScore": null,
                "id": "JVNDB-2023-028748",
                "impactScore": null,
                "integrityImpact": "High",
                "privilegesRequired": "None",
                "scope": "Unchanged",
                "trust": 0.8,
                "userInteraction": "None",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
                "id": "CVE-2023-46304",
                "trust": 1.0,
                "value": "HIGH"
              },
              {
                "author": "OTHER",
                "id": "JVNDB-2023-028748",
                "trust": 0.8,
                "value": "High"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-028748"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-46304"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "modules/Users/models/Module.php in Vtiger CRM 7.5.0 allows a remote authenticated attacker to run arbitrary PHP code because an unprotected endpoint allows them to write this code to the config.inc.php file (executed on every page load). Vtiger of Vtiger CRM There is an injection vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2023-46304"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-028748"
          }
        ],
        "trust": 1.62
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2023-46304",
            "trust": 2.6
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-028748",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-028748"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-46304"
          }
        ]
      },
      "id": "VAR-202404-2329",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 0.52916664
      },
      "last_update_date": "2025-04-25T01:55:54.465000Z",
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-74",
            "trust": 1.0
          },
          {
            "problemtype": "injection (CWE-74) [ others ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-028748"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-46304"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 1.8,
            "url": "https://code.vtiger.com/vtiger/vtigercrm/-/blob/master/modules/users/models/module.php"
          },
          {
            "trust": 1.8,
            "url": "https://code.vtiger.com/vtiger/vtigercrm/-/commit/317f9ca88b6bbded11058f20a1d232717c360d43"
          },
          {
            "trust": 1.8,
            "url": "https://github.com/jselliott/cve-2023-46304"
          },
          {
            "trust": 1.8,
            "url": "https://www.vtiger.com/"
          },
          {
            "trust": 0.8,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2023-46304"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-028748"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-46304"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-028748"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-46304"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2025-04-23T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2023-028748"
          },
          {
            "date": "2024-04-30T13:15:46.763000",
            "db": "NVD",
            "id": "CVE-2023-46304"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2025-04-23T02:25:00",
            "db": "JVNDB",
            "id": "JVNDB-2023-028748"
          },
          {
            "date": "2025-04-22T17:53:58.067000",
            "db": "NVD",
            "id": "CVE-2023-46304"
          }
        ]
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Vtiger\u00a0 of \u00a0Vtiger\u00a0CRM\u00a0 Injection vulnerability in",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-028748"
          }
        ],
        "trust": 0.8
      }
    }

    VAR-202501-2176

    Vulnerability from variot - Updated: 2025-04-25 01:42

    Vtiger CRM v.6.1 and before is vulnerable to Cross Site Scripting (XSS) via the Documents module and function uploadAndSaveFile in CRMEntity.php. Vtiger of Vtiger CRM Exists in a cross-site scripting vulnerability.Information may be obtained and information may be tampered with

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202501-2176",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "crm",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "6.1"
          },
          {
            "model": "crm",
            "scope": null,
            "trust": 0.8,
            "vendor": "vtiger",
            "version": null
          },
          {
            "model": "crm",
            "scope": "lte",
            "trust": 0.8,
            "vendor": "vtiger",
            "version": "6.1  and earlier"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "vtiger",
            "version": null
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-022715"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-54687"
          }
        ]
      },
      "cve": "CVE-2024-54687",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "exploitabilityScore": 2.8,
                "id": "CVE-2024-54687",
                "impactScore": 2.7,
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "trust": 1.0,
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "author": "OTHER",
                "availabilityImpact": "None",
                "baseScore": 6.1,
                "baseSeverity": "Medium",
                "confidentialityImpact": "Low",
                "exploitabilityScore": null,
                "id": "JVNDB-2024-022715",
                "impactScore": null,
                "integrityImpact": "Low",
                "privilegesRequired": "None",
                "scope": "Changed",
                "trust": 0.8,
                "userInteraction": "Required",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
                "id": "CVE-2024-54687",
                "trust": 1.0,
                "value": "MEDIUM"
              },
              {
                "author": "OTHER",
                "id": "JVNDB-2024-022715",
                "trust": 0.8,
                "value": "Medium"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-022715"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-54687"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Vtiger CRM v.6.1 and before is vulnerable to Cross Site Scripting (XSS) via the Documents module and function uploadAndSaveFile in CRMEntity.php. Vtiger of Vtiger CRM Exists in a cross-site scripting vulnerability.Information may be obtained and information may be tampered with",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2024-54687"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-022715"
          }
        ],
        "trust": 1.62
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2024-54687",
            "trust": 2.6
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-022715",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-022715"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-54687"
          }
        ]
      },
      "id": "VAR-202501-2176",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 0.52916664
      },
      "last_update_date": "2025-04-25T01:42:12.023000Z",
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-79",
            "trust": 1.0
          },
          {
            "problemtype": "Cross-site scripting (CWE-79) [ others ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-022715"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-54687"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 1.8,
            "url": "https://andrea0.medium.com"
          },
          {
            "trust": 1.8,
            "url": "https://andrea0.medium.com/analysis-of-cve-2024-54687-9d82f4c0eaa8"
          },
          {
            "trust": 0.8,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2024-54687"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-022715"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-54687"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-022715"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-54687"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2025-04-23T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2024-022715"
          },
          {
            "date": "2025-01-10T18:15:22.630000",
            "db": "NVD",
            "id": "CVE-2024-54687"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2025-04-23T05:15:00",
            "db": "JVNDB",
            "id": "JVNDB-2024-022715"
          },
          {
            "date": "2025-04-17T02:38:37.987000",
            "db": "NVD",
            "id": "CVE-2024-54687"
          }
        ]
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Vtiger\u00a0 of \u00a0Vtiger\u00a0CRM\u00a0 Cross-site scripting vulnerability in",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-022715"
          }
        ],
        "trust": 0.8
      }
    }

    VAR-201704-0310

    Vulnerability from variot - Updated: 2025-04-20 23:05

    Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.4.0 allows remote authenticated users to execute arbitrary code by uploading a crafted image file with an executable extension, then accessing it via a direct request to the file in test/logo/. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6000. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-201704-0310",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "crm",
            "scope": "eq",
            "trust": 2.4,
            "vendor": "vtiger",
            "version": "6.4.0"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2016-008454"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201704-825"
          },
          {
            "db": "NVD",
            "id": "CVE-2016-1713"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "cpe_match": [
                  {
                    "cpe22Uri": "cpe:/a:vtiger:vtiger_crm",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2016-008454"
          }
        ]
      },
      "cve": "CVE-2016-1713",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "MEDIUM",
                "accessVector": "NETWORK",
                "authentication": "SINGLE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "COMPLETE",
                "baseScore": 8.5,
                "confidentialityImpact": "COMPLETE",
                "exploitabilityScore": 6.8,
                "id": "CVE-2016-1713",
                "impactScore": 10.0,
                "integrityImpact": "COMPLETE",
                "severity": "HIGH",
                "trust": 1.8,
                "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C",
                "version": "2.0"
              },
              {
                "accessComplexity": "MEDIUM",
                "accessVector": "NETWORK",
                "authentication": "SINGLE",
                "author": "VULHUB",
                "availabilityImpact": "COMPLETE",
                "baseScore": 8.5,
                "confidentialityImpact": "COMPLETE",
                "exploitabilityScore": 6.8,
                "id": "VHN-90532",
                "impactScore": 10.0,
                "integrityImpact": "COMPLETE",
                "severity": "HIGH",
                "trust": 0.1,
                "vectorString": "AV:N/AC:M/AU:S/C:C/I:C/A:C",
                "version": "2.0"
              }
            ],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "author": "nvd@nist.gov",
                "availabilityImpact": "HIGH",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 1.3,
                "id": "CVE-2016-1713",
                "impactScore": 5.9,
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "trust": 1.8,
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2016-1713",
                "trust": 1.0,
                "value": "HIGH"
              },
              {
                "author": "NVD",
                "id": "CVE-2016-1713",
                "trust": 0.8,
                "value": "High"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-201704-825",
                "trust": 0.6,
                "value": "HIGH"
              },
              {
                "author": "VULHUB",
                "id": "VHN-90532",
                "trust": 0.1,
                "value": "HIGH"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-90532"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2016-008454"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201704-825"
          },
          {
            "db": "NVD",
            "id": "CVE-2016-1713"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.4.0 allows remote authenticated users to execute arbitrary code by uploading a crafted image file with an executable extension, then accessing it via a direct request to the file in test/logo/.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6000. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2016-1713"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2016-008454"
          },
          {
            "db": "VULHUB",
            "id": "VHN-90532"
          }
        ],
        "trust": 1.71
      },
      "exploit_availability": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "reference": "https://www.scap.org.cn/vuln/vhn-90532",
            "trust": 0.1,
            "type": "unknown"
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-90532"
          }
        ]
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2016-1713",
            "trust": 2.5
          },
          {
            "db": "OPENWALL",
            "id": "OSS-SECURITY/2016/01/12/7",
            "trust": 1.7
          },
          {
            "db": "OPENWALL",
            "id": "OSS-SECURITY/2016/01/12/4",
            "trust": 1.7
          },
          {
            "db": "EXPLOIT-DB",
            "id": "44379",
            "trust": 1.1
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2016-008454",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201704-825",
            "trust": 0.7
          },
          {
            "db": "EXPLOIT-DB",
            "id": "38345",
            "trust": 0.1
          },
          {
            "db": "VULHUB",
            "id": "VHN-90532",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-90532"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2016-008454"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201704-825"
          },
          {
            "db": "NVD",
            "id": "CVE-2016-1713"
          }
        ]
      },
      "id": "VAR-201704-0310",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-90532"
          }
        ],
        "trust": 0.62916664
      },
      "last_update_date": "2025-04-20T23:05:14.839000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Top Page",
            "trust": 0.8,
            "url": "http://vtiger-crm.2324883.n4.nabble.com/"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2016-008454"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-434",
            "trust": 1.9
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-90532"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2016-008454"
          },
          {
            "db": "NVD",
            "id": "CVE-2016-1713"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.5,
            "url": "http://b.fl7.de/2016/01/vtiger-crm-6.4-auth-rce.html"
          },
          {
            "trust": 1.7,
            "url": "http://www.openwall.com/lists/oss-security/2016/01/12/4"
          },
          {
            "trust": 1.7,
            "url": "http://www.openwall.com/lists/oss-security/2016/01/12/7"
          },
          {
            "trust": 1.1,
            "url": "https://www.exploit-db.com/exploits/44379/"
          },
          {
            "trust": 0.8,
            "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-1713"
          },
          {
            "trust": 0.8,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2016-1713"
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-90532"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2016-008454"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201704-825"
          },
          {
            "db": "NVD",
            "id": "CVE-2016-1713"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULHUB",
            "id": "VHN-90532"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2016-008454"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201704-825"
          },
          {
            "db": "NVD",
            "id": "CVE-2016-1713"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2017-04-14T00:00:00",
            "db": "VULHUB",
            "id": "VHN-90532"
          },
          {
            "date": "2017-05-19T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2016-008454"
          },
          {
            "date": "2017-04-18T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201704-825"
          },
          {
            "date": "2017-04-14T18:59:00.237000",
            "db": "NVD",
            "id": "CVE-2016-1713"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2018-04-02T00:00:00",
            "db": "VULHUB",
            "id": "VHN-90532"
          },
          {
            "date": "2017-05-19T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2016-008454"
          },
          {
            "date": "2017-04-18T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201704-825"
          },
          {
            "date": "2025-04-20T01:37:25.860000",
            "db": "NVD",
            "id": "CVE-2016-1713"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-201704-825"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Vtiger CRM of  modules/Settings/Vtiger/actions/CompanyDetailsSave.php Vulnerable to arbitrary code execution",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2016-008454"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "lack of information",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-201704-825"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-201404-0332

    Vulnerability from variot - Updated: 2025-04-13 23:32

    modules/Users/ForgotPassword.php in vTiger 6.0 before Security Patch 2 allows remote attackers to reset the password for arbitrary users via a request containing the username, password, and confirmPassword parameters. vtiger CRM is prone to a security-bypass vulnerability. An attacker can exploit this issue to change a user's password, thereby aiding in further attacks. vtiger CRM 6.0 is vulnerable; other versions may also be affected. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information. There is a security hole in the modules/Users/ForgotPassword.php file of Vtiger CRM6.0 version

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-201404-0332",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "vtiger",
            "version": "6.0.0"
          },
          {
            "model": "crm",
            "scope": "lt",
            "trust": 0.8,
            "vendor": "vtiger",
            "version": "6.0 security patch 2"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-002214"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201404-432"
          },
          {
            "db": "NVD",
            "id": "CVE-2014-2269"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "cpe_match": [
                  {
                    "cpe22Uri": "cpe:/a:vtiger:vtiger_crm",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-002214"
          }
        ]
      },
      "credits": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/credits#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Jonathan of Navixia Research Team",
        "sources": [
          {
            "db": "BID",
            "id": "66757"
          }
        ],
        "trust": 0.3
      },
      "cve": "CVE-2014-2269",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "PARTIAL",
                "baseScore": 6.4,
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 10.0,
                "id": "CVE-2014-2269",
                "impactScore": 4.9,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 1.8,
                "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
                "version": "2.0"
              },
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "VULHUB",
                "availabilityImpact": "PARTIAL",
                "baseScore": 6.4,
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 10.0,
                "id": "VHN-70208",
                "impactScore": 4.9,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 0.1,
                "vectorString": "AV:N/AC:L/AU:N/C:N/I:P/A:P",
                "version": "2.0"
              }
            ],
            "cvssV3": [],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2014-2269",
                "trust": 1.0,
                "value": "MEDIUM"
              },
              {
                "author": "NVD",
                "id": "CVE-2014-2269",
                "trust": 0.8,
                "value": "Medium"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-201404-432",
                "trust": 0.6,
                "value": "MEDIUM"
              },
              {
                "author": "VULHUB",
                "id": "VHN-70208",
                "trust": 0.1,
                "value": "MEDIUM"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-70208"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-002214"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201404-432"
          },
          {
            "db": "NVD",
            "id": "CVE-2014-2269"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "modules/Users/ForgotPassword.php in vTiger 6.0 before Security Patch 2 allows remote attackers to reset the password for arbitrary users via a request containing the username, password, and confirmPassword parameters. vtiger CRM is prone to a security-bypass vulnerability. \nAn attacker can exploit this issue to change a user\u0027s password, thereby aiding in further attacks. \nvtiger CRM 6.0 is vulnerable; other versions may also be affected. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information. There is a security hole in the modules/Users/ForgotPassword.php file of Vtiger CRM6.0 version",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2014-2269"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-002214"
          },
          {
            "db": "BID",
            "id": "66757"
          },
          {
            "db": "VULHUB",
            "id": "VHN-70208"
          }
        ],
        "trust": 1.98
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2014-2269",
            "trust": 2.8
          },
          {
            "db": "BID",
            "id": "66758",
            "trust": 1.7
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-002214",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201404-432",
            "trust": 0.7
          },
          {
            "db": "MLIST",
            "id": "[VTIGERCRM-DEVELOPERS] 20140316 IMP: FORGOT PASSWORD AND RE-INSTALLATION SECURITY FIX",
            "trust": 0.6
          },
          {
            "db": "BID",
            "id": "66757",
            "trust": 0.4
          },
          {
            "db": "VULHUB",
            "id": "VHN-70208",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-70208"
          },
          {
            "db": "BID",
            "id": "66757"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-002214"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201404-432"
          },
          {
            "db": "NVD",
            "id": "CVE-2014-2269"
          }
        ]
      },
      "id": "VAR-201404-0332",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-70208"
          }
        ],
        "trust": 0.62916664
      },
      "last_update_date": "2025-04-13T23:32:50.325000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "IMP: forgot password and re-installation security fix",
            "trust": 0.8,
            "url": "http://vtiger-crm.2324883.n4.nabble.com/Vtigercrm-developers-IMP-forgot-password-and-re-installation-security-fix-tt9786.html"
          },
          {
            "title": "vtigercrm-600-security-patch2",
            "trust": 0.6,
            "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=49462"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-002214"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201404-432"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-20",
            "trust": 1.9
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-70208"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-002214"
          },
          {
            "db": "NVD",
            "id": "CVE-2014-2269"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 1.7,
            "url": "http://www.securityfocus.com/bid/66758"
          },
          {
            "trust": 1.7,
            "url": "http://vtiger-crm.2324883.n4.nabble.com/vtigercrm-developers-imp-forgot-password-and-re-installation-security-fix-tt9786.html"
          },
          {
            "trust": 0.8,
            "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2269"
          },
          {
            "trust": 0.8,
            "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-2269"
          },
          {
            "trust": 0.3,
            "url": "www.vtiger.de"
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-70208"
          },
          {
            "db": "BID",
            "id": "66757"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-002214"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201404-432"
          },
          {
            "db": "NVD",
            "id": "CVE-2014-2269"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULHUB",
            "id": "VHN-70208"
          },
          {
            "db": "BID",
            "id": "66757"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-002214"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201404-432"
          },
          {
            "db": "NVD",
            "id": "CVE-2014-2269"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2014-04-22T00:00:00",
            "db": "VULHUB",
            "id": "VHN-70208"
          },
          {
            "date": "2014-04-10T00:00:00",
            "db": "BID",
            "id": "66757"
          },
          {
            "date": "2014-04-24T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2014-002214"
          },
          {
            "date": "2014-04-23T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201404-432"
          },
          {
            "date": "2014-04-22T13:06:28.523000",
            "db": "NVD",
            "id": "CVE-2014-2269"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2014-04-22T00:00:00",
            "db": "VULHUB",
            "id": "VHN-70208"
          },
          {
            "date": "2014-04-10T00:00:00",
            "db": "BID",
            "id": "66757"
          },
          {
            "date": "2014-04-24T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2014-002214"
          },
          {
            "date": "2014-04-23T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201404-432"
          },
          {
            "date": "2025-04-12T10:46:40.837000",
            "db": "NVD",
            "id": "CVE-2014-2269"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-201404-432"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Vtiger of  modules/Users/ForgotPassword.php Vulnerable to password reset for arbitrary users",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-002214"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "input validation",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-201404-432"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-201411-0075

    Vulnerability from variot - Updated: 2025-04-13 23:32

    views/Index.php in the Install module in vTiger 6.0 before Security Patch 2 does not properly restrict access, which allows remote attackers to re-install the application via a request that sets the X-Requested-With HTTP header, as demonstrated by executing arbitrary PHP code via the db_name parameter. vtiger CRM is prone to a remote code-execution vulnerability because the application fails to sufficiently sanitize user-supplied input. Exploiting this issue will allow attackers to execute arbitrary code within the context of the affected application. vtiger CRM 6.0 is vulnerable; other versions may also be affected. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company, which provides functions such as management, collection and analysis of customer information. Install Module is one of the installation modules

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-201411-0075",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "vtiger",
            "version": "5.2.1"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "vtiger",
            "version": "6.0.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "vtiger",
            "version": "5.1.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "vtiger",
            "version": "5.3.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "vtiger",
            "version": "5.4.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "vtiger",
            "version": "5.2.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "3.2"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "4.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "5.0.3"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "4.2.4"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "1.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "3.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "5.0.1"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "2.0.1"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "5.0.4"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "4.0.1"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "5.0.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "4.2"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "4"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "5.0.2"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "2.1"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "2.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "vtiger",
            "version": "6.0 security patch 2"
          },
          {
            "model": "crm",
            "scope": "lt",
            "trust": 0.8,
            "vendor": "vtiger",
            "version": "6.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "6.0"
          }
        ],
        "sources": [
          {
            "db": "BID",
            "id": "66758"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-005475"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201406-544"
          },
          {
            "db": "NVD",
            "id": "CVE-2014-2268"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "cpe_match": [
                  {
                    "cpe22Uri": "cpe:/a:vtiger:vtiger_crm",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-005475"
          }
        ]
      },
      "credits": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/credits#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Jonathan of Navixia Research Team",
        "sources": [
          {
            "db": "BID",
            "id": "66758"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201406-544"
          }
        ],
        "trust": 0.9
      },
      "cve": "CVE-2014-2268",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "PARTIAL",
                "baseScore": 5.0,
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 10.0,
                "id": "CVE-2014-2268",
                "impactScore": 2.9,
                "integrityImpact": "NONE",
                "severity": "MEDIUM",
                "trust": 1.9,
                "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
                "version": "2.0"
              },
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "VULHUB",
                "availabilityImpact": "PARTIAL",
                "baseScore": 5.0,
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 10.0,
                "id": "VHN-70207",
                "impactScore": 2.9,
                "integrityImpact": "NONE",
                "severity": "MEDIUM",
                "trust": 0.1,
                "vectorString": "AV:N/AC:L/AU:N/C:N/I:N/A:P",
                "version": "2.0"
              }
            ],
            "cvssV3": [],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2014-2268",
                "trust": 1.0,
                "value": "MEDIUM"
              },
              {
                "author": "NVD",
                "id": "CVE-2014-2268",
                "trust": 0.8,
                "value": "Medium"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-201406-544",
                "trust": 0.6,
                "value": "MEDIUM"
              },
              {
                "author": "VULHUB",
                "id": "VHN-70207",
                "trust": 0.1,
                "value": "MEDIUM"
              },
              {
                "author": "VULMON",
                "id": "CVE-2014-2268",
                "trust": 0.1,
                "value": "MEDIUM"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-70207"
          },
          {
            "db": "VULMON",
            "id": "CVE-2014-2268"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-005475"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201406-544"
          },
          {
            "db": "NVD",
            "id": "CVE-2014-2268"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "views/Index.php in the Install module in vTiger 6.0 before Security Patch 2 does not properly restrict access, which allows remote attackers to re-install the application via a request that sets the X-Requested-With HTTP header, as demonstrated by executing arbitrary PHP code via the db_name parameter. vtiger CRM is prone to a remote code-execution vulnerability because the application fails to sufficiently sanitize  user-supplied input. \nExploiting this issue will allow attackers to execute arbitrary code within the context of the affected application. \nvtiger CRM 6.0 is vulnerable; other versions may also be affected. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company, which provides functions such as management, collection and analysis of customer information. Install Module is one of the installation modules",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2014-2268"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-005475"
          },
          {
            "db": "BID",
            "id": "66758"
          },
          {
            "db": "VULHUB",
            "id": "VHN-70207"
          },
          {
            "db": "VULMON",
            "id": "CVE-2014-2268"
          }
        ],
        "trust": 2.07
      },
      "exploit_availability": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "reference": "https://www.scap.org.cn/vuln/vhn-70207",
            "trust": 0.1,
            "type": "unknown"
          },
          {
            "reference": "https://vulmon.com/exploitdetails?qidtp=exploitdb\u0026qid=32794",
            "trust": 0.1,
            "type": "exploit"
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-70207"
          },
          {
            "db": "VULMON",
            "id": "CVE-2014-2268"
          }
        ]
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2014-2268",
            "trust": 2.9
          },
          {
            "db": "BID",
            "id": "66757",
            "trust": 1.8
          },
          {
            "db": "EXPLOIT-DB",
            "id": "32794",
            "trust": 1.8
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-005475",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201406-544",
            "trust": 0.7
          },
          {
            "db": "BID",
            "id": "66758",
            "trust": 0.5
          },
          {
            "db": "PACKETSTORM",
            "id": "126067",
            "trust": 0.1
          },
          {
            "db": "SEEBUG",
            "id": "SSVID-86064",
            "trust": 0.1
          },
          {
            "db": "VULHUB",
            "id": "VHN-70207",
            "trust": 0.1
          },
          {
            "db": "VULMON",
            "id": "CVE-2014-2268",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-70207"
          },
          {
            "db": "VULMON",
            "id": "CVE-2014-2268"
          },
          {
            "db": "BID",
            "id": "66758"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-005475"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201406-544"
          },
          {
            "db": "NVD",
            "id": "CVE-2014-2268"
          }
        ]
      },
      "id": "VAR-201411-0075",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-70207"
          }
        ],
        "trust": 0.62916664
      },
      "last_update_date": "2025-04-13T23:32:50.292000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "IMP: forgot password and re-installation security fix",
            "trust": 0.8,
            "url": "http://vtiger-crm.2324883.n4.nabble.com/Vtigercrm-developers-IMP-forgot-password-and-re-installation-security-fix-tt9786.html"
          },
          {
            "title": "vtigercrm-600-security-patch3",
            "trust": 0.6,
            "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=52472"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-005475"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201406-544"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-264",
            "trust": 1.9
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-70207"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-005475"
          },
          {
            "db": "NVD",
            "id": "CVE-2014-2268"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.1,
            "url": "https://www.navixia.com/blog/entry/navixia-find-critical-vulnerabilities-in-vtiger-crm-cve-2014-2268-cve-2014-2269.html"
          },
          {
            "trust": 2.1,
            "url": "http://vtiger-crm.2324883.n4.nabble.com/vtigercrm-developers-imp-forgot-password-and-re-installation-security-fix-tt9786.html"
          },
          {
            "trust": 1.8,
            "url": "http://www.securityfocus.com/bid/66757"
          },
          {
            "trust": 1.8,
            "url": "http://www.exploit-db.com/exploits/32794"
          },
          {
            "trust": 0.8,
            "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2268"
          },
          {
            "trust": 0.8,
            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-2268"
          },
          {
            "trust": 0.3,
            "url": "http://www.vtiger.com/"
          },
          {
            "trust": 0.1,
            "url": "https://cwe.mitre.org/data/definitions/264.html"
          },
          {
            "trust": 0.1,
            "url": "https://www.exploit-db.com/exploits/32794/"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov"
          },
          {
            "trust": 0.1,
            "url": "https://www.rapid7.com/db/modules/exploit/multi/http/vtiger_install_rce"
          },
          {
            "trust": 0.1,
            "url": "https://www.securityfocus.com/bid/66758"
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-70207"
          },
          {
            "db": "VULMON",
            "id": "CVE-2014-2268"
          },
          {
            "db": "BID",
            "id": "66758"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-005475"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201406-544"
          },
          {
            "db": "NVD",
            "id": "CVE-2014-2268"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULHUB",
            "id": "VHN-70207"
          },
          {
            "db": "VULMON",
            "id": "CVE-2014-2268"
          },
          {
            "db": "BID",
            "id": "66758"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-005475"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201406-544"
          },
          {
            "db": "NVD",
            "id": "CVE-2014-2268"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2014-11-16T00:00:00",
            "db": "VULHUB",
            "id": "VHN-70207"
          },
          {
            "date": "2014-11-16T00:00:00",
            "db": "VULMON",
            "id": "CVE-2014-2268"
          },
          {
            "date": "2014-04-10T00:00:00",
            "db": "BID",
            "id": "66758"
          },
          {
            "date": "2014-11-18T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2014-005475"
          },
          {
            "date": "2014-04-10T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201406-544"
          },
          {
            "date": "2014-11-16T01:59:00.130000",
            "db": "NVD",
            "id": "CVE-2014-2268"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2017-11-20T00:00:00",
            "db": "VULHUB",
            "id": "VHN-70207"
          },
          {
            "date": "2017-11-20T00:00:00",
            "db": "VULMON",
            "id": "CVE-2014-2268"
          },
          {
            "date": "2014-04-10T00:00:00",
            "db": "BID",
            "id": "66758"
          },
          {
            "date": "2014-11-18T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2014-005475"
          },
          {
            "date": "2014-11-17T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201406-544"
          },
          {
            "date": "2025-04-12T10:46:40.837000",
            "db": "NVD",
            "id": "CVE-2014-2268"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-201406-544"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "vTiger Of installation modules  views/Index.php Vulnerable to application reinstallation",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-005475"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "permissions and access control",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-201406-544"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-201608-0190

    Vulnerability from variot - Updated: 2025-04-13 23:17

    modules/Users/actions/Save.php in Vtiger CRM 6.4.0 and earlier does not properly restrict user-save actions, which allows remote authenticated users to create or modify user accounts via unspecified vectors. Vtiger CRM is a customer relationship management (CRM) software. Vtiger CRM contains a vulnerability where it does not properly restrict access to user information data. Hirota Kazuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.A user with user privileges may create new users or alter existing user information. Successfully exploiting this issue may allow attackers to perform unauthorized actions. This may lead to other attacks. Vtiger CRM 6.4.0 and prior versions are vulnerable. The management system provides functions such as management, collection, and analysis of customer information. The vulnerability is caused by the program not properly restricting the user-save operation

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-201608-0190",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "crm",
            "scope": "lte",
            "trust": 1.8,
            "vendor": "vtiger",
            "version": "6.4.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.9,
            "vendor": "vtiger",
            "version": "6.4.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "4"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "5.0.2"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "2.0"
          },
          {
            "model": "crm",
            "scope": "ne",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "6.5.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "5.2"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "5.4.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "4.2.4"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "5.0.4"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "3.0.1"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "4.2"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "5.0.1"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "5.1"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "5.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "5.0.3"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "6.0.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "4.0.1"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "2.0.1"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "5.2.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "3.2"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "5.3"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "6.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "5.2.1"
          }
        ],
        "sources": [
          {
            "db": "BID",
            "id": "92076"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2016-000126"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201607-960"
          },
          {
            "db": "NVD",
            "id": "CVE-2016-4834"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "cpe_match": [
                  {
                    "cpe22Uri": "cpe:/a:vtiger:vtiger_crm",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2016-000126"
          }
        ]
      },
      "credits": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/credits#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Inc.,Hirota Kazuki of Mitsui Bussan Secure Directions",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-201607-960"
          }
        ],
        "trust": 0.6
      },
      "cve": "CVE-2016-4834",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "SINGLE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "NONE",
                "baseScore": 5.5,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 8.0,
                "id": "CVE-2016-4834",
                "impactScore": 4.9,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 1.1,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
                "version": "2.0"
              },
              {
                "acInsufInfo": null,
                "accessComplexity": "Low",
                "accessVector": "Network",
                "authentication": "Single",
                "author": "IPA",
                "availabilityImpact": "None",
                "baseScore": 5.5,
                "confidentialityImpact": "Partial",
                "exploitabilityScore": null,
                "id": "JVNDB-2016-000126",
                "impactScore": null,
                "integrityImpact": "Partial",
                "obtainAllPrivilege": null,
                "obtainOtherPrivilege": null,
                "obtainUserPrivilege": null,
                "severity": "Medium",
                "trust": 0.8,
                "userInteractionRequired": null,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
                "version": "2.0"
              },
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "SINGLE",
                "author": "VULHUB",
                "availabilityImpact": "NONE",
                "baseScore": 5.5,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 8.0,
                "id": "VHN-93653",
                "impactScore": 4.9,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 0.1,
                "vectorString": "AV:N/AC:L/AU:S/C:P/I:P/A:N",
                "version": "2.0"
              }
            ],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "nvd@nist.gov",
                "availabilityImpact": "NONE",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 2.8,
                "id": "CVE-2016-4834",
                "impactScore": 5.2,
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "trust": 1.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.0"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "author": "IPA",
                "availabilityImpact": "None",
                "baseScore": 5.4,
                "baseSeverity": "Medium",
                "confidentialityImpact": "Low",
                "exploitabilityScore": null,
                "id": "JVNDB-2016-000126",
                "impactScore": null,
                "integrityImpact": "Low",
                "privilegesRequired": "Low",
                "scope": "Unchanged",
                "trust": 0.8,
                "userInteraction": "None",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2016-4834",
                "trust": 1.0,
                "value": "HIGH"
              },
              {
                "author": "IPA",
                "id": "JVNDB-2016-000126",
                "trust": 0.8,
                "value": "Medium"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-201607-960",
                "trust": 0.6,
                "value": "HIGH"
              },
              {
                "author": "VULHUB",
                "id": "VHN-93653",
                "trust": 0.1,
                "value": "MEDIUM"
              },
              {
                "author": "VULMON",
                "id": "CVE-2016-4834",
                "trust": 0.1,
                "value": "MEDIUM"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-93653"
          },
          {
            "db": "VULMON",
            "id": "CVE-2016-4834"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2016-000126"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201607-960"
          },
          {
            "db": "NVD",
            "id": "CVE-2016-4834"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "modules/Users/actions/Save.php in Vtiger CRM 6.4.0 and earlier does not properly restrict user-save actions, which allows remote authenticated users to create or modify user accounts via unspecified vectors. Vtiger CRM is a customer relationship management (CRM) software. Vtiger CRM contains a vulnerability where it does not properly restrict access to user information data. Hirota Kazuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.A user with user privileges may create new users or alter existing user information. \nSuccessfully exploiting this issue may allow attackers to perform unauthorized actions. This may lead to other attacks. \nVtiger CRM 6.4.0 and prior versions are vulnerable. The management system provides functions such as management, collection, and analysis of customer information. The vulnerability is caused by the program not properly restricting the user-save operation",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2016-4834"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2016-000126"
          },
          {
            "db": "BID",
            "id": "92076"
          },
          {
            "db": "VULHUB",
            "id": "VHN-93653"
          },
          {
            "db": "VULMON",
            "id": "CVE-2016-4834"
          }
        ],
        "trust": 2.07
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2016-4834",
            "trust": 2.9
          },
          {
            "db": "JVN",
            "id": "JVN01956993",
            "trust": 2.9
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2016-000126",
            "trust": 2.6
          },
          {
            "db": "BID",
            "id": "92076",
            "trust": 2.1
          },
          {
            "db": "SECTRACK",
            "id": "1036485",
            "trust": 1.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201607-960",
            "trust": 0.7
          },
          {
            "db": "VULHUB",
            "id": "VHN-93653",
            "trust": 0.1
          },
          {
            "db": "VULMON",
            "id": "CVE-2016-4834",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-93653"
          },
          {
            "db": "VULMON",
            "id": "CVE-2016-4834"
          },
          {
            "db": "BID",
            "id": "92076"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2016-000126"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201607-960"
          },
          {
            "db": "NVD",
            "id": "CVE-2016-4834"
          }
        ]
      },
      "id": "VAR-201608-0190",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-93653"
          }
        ],
        "trust": 0.62916664
      },
      "last_update_date": "2025-04-13T23:17:53.040000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Download - Vtiger CRM",
            "trust": 0.8,
            "url": "https://www.vtiger.com/download/"
          },
          {
            "title": "Refactored access control on user-save operation. ",
            "trust": 0.8,
            "url": "http://code.vtiger.com/vtiger/vtigercrm/commit/7cdf9941197b4aa58114eafce3ce88fb418eb68c"
          },
          {
            "title": "Vtiger CRM Repair measures for security bypass vulnerabilities",
            "trust": 0.6,
            "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=63312"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2016-000126"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201607-960"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-264",
            "trust": 1.9
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-93653"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2016-000126"
          },
          {
            "db": "NVD",
            "id": "CVE-2016-4834"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.9,
            "url": "http://jvn.jp/en/jp/jvn01956993/index.html"
          },
          {
            "trust": 2.1,
            "url": "http://code.vtiger.com/vtiger/vtigercrm/commit/7cdf9941197b4aa58114eafce3ce88fb418eb68c"
          },
          {
            "trust": 1.9,
            "url": "http://www.securityfocus.com/bid/92076"
          },
          {
            "trust": 1.8,
            "url": "http://jvndb.jvn.jp/jvndb/jvndb-2016-000126"
          },
          {
            "trust": 1.8,
            "url": "http://www.securitytracker.com/id/1036485"
          },
          {
            "trust": 0.8,
            "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-4834"
          },
          {
            "trust": 0.8,
            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-4834"
          },
          {
            "trust": 0.3,
            "url": "https://www.vtiger.com"
          },
          {
            "trust": 0.1,
            "url": "https://cwe.mitre.org/data/definitions/264.html"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov"
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-93653"
          },
          {
            "db": "VULMON",
            "id": "CVE-2016-4834"
          },
          {
            "db": "BID",
            "id": "92076"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2016-000126"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201607-960"
          },
          {
            "db": "NVD",
            "id": "CVE-2016-4834"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULHUB",
            "id": "VHN-93653"
          },
          {
            "db": "VULMON",
            "id": "CVE-2016-4834"
          },
          {
            "db": "BID",
            "id": "92076"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2016-000126"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201607-960"
          },
          {
            "db": "NVD",
            "id": "CVE-2016-4834"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2016-08-01T00:00:00",
            "db": "VULHUB",
            "id": "VHN-93653"
          },
          {
            "date": "2016-08-01T00:00:00",
            "db": "VULMON",
            "id": "CVE-2016-4834"
          },
          {
            "date": "2016-07-20T00:00:00",
            "db": "BID",
            "id": "92076"
          },
          {
            "date": "2016-07-20T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2016-000126"
          },
          {
            "date": "2016-07-27T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201607-960"
          },
          {
            "date": "2016-08-01T02:59:14.620000",
            "db": "NVD",
            "id": "CVE-2016-4834"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2016-12-06T00:00:00",
            "db": "VULHUB",
            "id": "VHN-93653"
          },
          {
            "date": "2016-12-06T00:00:00",
            "db": "VULMON",
            "id": "CVE-2016-4834"
          },
          {
            "date": "2016-07-20T00:00:00",
            "db": "BID",
            "id": "92076"
          },
          {
            "date": "2016-08-04T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2016-000126"
          },
          {
            "date": "2021-05-18T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201607-960"
          },
          {
            "date": "2025-04-12T10:46:40.837000",
            "db": "NVD",
            "id": "CVE-2016-4834"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-201607-960"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Vtiger CRM does not properly restrict access to application data",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2016-000126"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "permissions and access control issues",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-201607-960"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-201404-0102

    Vulnerability from variot - Updated: 2025-04-13 23:17

    Multiple SQL injection vulnerabilities in vTiger CRM 5.0.0 through 5.4.0 allow remote attackers to execute arbitrary SQL commands via the (1) picklist_name parameter in the get_picklists method to soap/customerportal.php, (2) where parameter in the get_tickets_list method to soap/customerportal.php, or (3) emailaddress parameter in the SearchContactsByEmail method to soap/vtigerolservice.php; or remote authenticated users to execute arbitrary SQL commands via the (4) emailaddress parameter in the SearchContactsByEmail method to soap/thunderbirdplugin.php. Vtiger CRM Is SQL An injection vulnerability exists.By any third party, via the following parameters SQL The command may be executed. (4) soap/thunderbirdplugin.php of SearchContactsByEmail In the method emailaddress Parameters. vtiger CRM is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. vtiger CRM 5.0.0 through versions 5.4.0 are vulnerable. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information. The vulnerability comes from the fact that the soap/customerportal.php script does not correctly filter the 'picklist_name' parameter in the get_picklists method; the soap/customerportal.php script does not correctly filter the get_tickets_list method The 'where' parameter; the soap/vtigerolservice.php script does not correctly filter the 'emailaddress' parameter in the SearchContactsByEmail method; the soap/thunderbirdplugin.php script does not correctly filter the 'emailaddress' parameter in the SearchContactsByEmail method.

    [-] Vulnerability Description:

    1) The vulnerable code is located in the get_picklists SOAP method defined in /soap/customerportal.php:

    1. $id = $input_array['id'];
    2. $sessionid = $input_array['sessionid'];
    3. $picklist_name = $adb->sql_escape_string($input_array['picklist_name']);
    4. if(!validateSession($id,$sessionid))
    5. return null;
    6. $picklist_array = Array();
    7. $admin_role = 'H2';
    8. $userid = getPortalUserid();
    9. $roleres = $adb->pquery("SELECT roleid from vtiger_user2role where userid = ?", array($userid));
    10. $RowCount = $adb->num_rows($roleres);
    11. if($RowCount > 0){
    12. $admin_role = $adb->query_result($roleres,0,'roleid');
    13. }
    14. $res = $adb->pquery("select vtiger_". $picklist_name.".* from vtiger_". $picklist_name." inner join [...]

    User input passed through the "picklist_name" parameter seems to be correctly sanitised by the sql_escape_string() method, but the vulnerability exists because it's used in the query at line 1194 without single or double quotes. This can be exploited to conduct blind SQL injection attacks.

    2) The vulnerable code is located in the get_tickets_list SOAP method defined in /soap/customerportal.php:

    1. $id = $input_array['id'];
    2. $only_mine = $input_array['onlymine'];
    3. $where = $input_array['where']; //addslashes is already added with where condition fields in portal itself
    4. $match = $input_array['match'];
    5. $sessionid = $input_array['sessionid'];
    6. if(!validateSession($id,$sessionid))
    7. return null;
    8. // Prepare where conditions based on search query
    9. $join_type = '';
    10. $where_conditions = '';
    11. if(trim($where) != '') {
    12. if($match == 'all' || $match == '') {
    13. $join_type = " AND ";
    14. } elseif($match == 'any') {
    15. $join_type = " OR ";
    16. }
    17. $where = explode("&&&",$where);
    18. $where_conditions = implode($join_type, $where);

    [...]

    1. $query = "SELECT vtiger_troubletickets.*, vtiger_crmentity.smownerid,vtiger_crmentity.createdtime, [...]
    2. FROM vtiger_troubletickets
    3. INNER JOIN vtiger_crmentity ON vtiger_crmentity.crmid = vtiger_troubletickets.ticketid AND [...]
    4. WHERE vtiger_troubletickets.parent_id IN (". generateQuestionMarks($entity_ids_list) .")";
    5. // Add conditions if there are any search parameters
    6. if ($join_type != '' && $where_conditions != '') {
    7. $query .= " AND (".$where_conditions.")";
    8. }

    User input passed through the "where" parameter isn't properly validated before being used in a SQL query at line 713. This can be exploited to conduct SQL injection attacks.

    3) The vulnerable code is located in the SearchContactsByEmail SOAP method defined in /soap/thunderbirdplugin.php:

    1. function SearchContactsByEmail($username,$password,$emailaddress)
    2. {
    3. if(authentication($username,$password))
    4. {
    5. require_once('modules/Contacts/Contacts.php');
    6. $seed_contact = new Contacts();
    7. $output_list = Array();
    8. $response = $seed_contact->get_searchbyemailid($username,$emailaddress);

    User input passed through the "emailaddress" parameter isn't properly validated before being used in a call to the Contacts::get_searchbyemailid() method at line 195. This can be exploited to conduct SQL injection attacks. Successful exploitation of this vulnerability requires authentication.

    4) The vulnerable code is located in the SearchContactsByEmail SOAP method defined in /soap/vtigerolservice.php:

    1. function SearchContactsByEmail($username,$session,$emailaddress)
    2. {
    3. if(!validateSession($username,$session))
    4. return null;
    5. require_once('modules/Contacts/Contacts.php');
    6. $seed_contact = new Contacts();
    7. $output_list = Array();
    8. $response = $seed_contact->get_searchbyemailid($username,$emailaddress);

    User input passed through the "emailaddress" parameter isn't properly validated before being used in a call to the Contacts::get_searchbyemailid() method at line 291. This can be exploited to conduct SQL injection attacks. Successful exploitation of this vulnerability requires knowledge of a valid username.

    [-] Solution:

    Apply the vendor patch:http://www.vtiger.com/blogs/?p=1467

    [-] Disclosure Timeline:

    [13/01/2013] - Vendor notified [06/02/2013] - Vendor asked feedback abouthttp://trac.vtiger.com/cgi-bin/trac.cgi/changeset/13848 [05/03/2013] - Feedback provided to the vendor [26/03/2013] - Vendor patch released [18/04/2013] - CVE number requested [20/04/2013] - CVE number assigned [01/08/2013] - Public disclosure

    [-] CVE Reference:

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-3213 to these vulnerabilities.

    [-] Credits:

    Vulnerabilities discovered by Egidio Romano.

    [-] Original Advisory:

    http://karmainsecurity.com/KIS-2013-06

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-201404-0102",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.9,
            "vendor": "vtiger",
            "version": "5.2.1"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.9,
            "vendor": "vtiger",
            "version": "5.0.4"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "vtiger",
            "version": "5.4.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "vtiger",
            "version": "5.1.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "vtiger",
            "version": "5.3.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "vtiger",
            "version": "5.0.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "vtiger",
            "version": "5.0.1"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "vtiger",
            "version": "5.2.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.3,
            "vendor": "vtiger",
            "version": "5.0.3"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "5.0.2"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "vtiger",
            "version": "5.0.0 to  5.4.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "5.3"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "5.2"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "5.1"
          },
          {
            "model": "crm rc",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "5.0.4"
          }
        ],
        "sources": [
          {
            "db": "BID",
            "id": "61563"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2013-006283"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201308-014"
          },
          {
            "db": "NVD",
            "id": "CVE-2013-3213"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "cpe_match": [
                  {
                    "cpe22Uri": "cpe:/a:vtiger:vtiger_crm",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2013-006283"
          }
        ]
      },
      "credits": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/credits#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Egidio Romano",
        "sources": [
          {
            "db": "BID",
            "id": "61563"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201308-014"
          }
        ],
        "trust": 0.9
      },
      "cve": "CVE-2013-3213",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "PARTIAL",
                "baseScore": 7.5,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 10.0,
                "id": "CVE-2013-3213",
                "impactScore": 6.4,
                "integrityImpact": "PARTIAL",
                "severity": "HIGH",
                "trust": 1.8,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
                "version": "2.0"
              },
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "VULHUB",
                "availabilityImpact": "PARTIAL",
                "baseScore": 7.5,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 10.0,
                "id": "VHN-63215",
                "impactScore": 6.4,
                "integrityImpact": "PARTIAL",
                "severity": "HIGH",
                "trust": 0.1,
                "vectorString": "AV:N/AC:L/AU:N/C:P/I:P/A:P",
                "version": "2.0"
              }
            ],
            "cvssV3": [],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2013-3213",
                "trust": 1.0,
                "value": "HIGH"
              },
              {
                "author": "NVD",
                "id": "CVE-2013-3213",
                "trust": 0.8,
                "value": "High"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-201308-014",
                "trust": 0.6,
                "value": "HIGH"
              },
              {
                "author": "VULHUB",
                "id": "VHN-63215",
                "trust": 0.1,
                "value": "HIGH"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-63215"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2013-006283"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201308-014"
          },
          {
            "db": "NVD",
            "id": "CVE-2013-3213"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Multiple SQL injection vulnerabilities in vTiger CRM 5.0.0 through 5.4.0 allow remote attackers to execute arbitrary SQL commands via the (1) picklist_name parameter in the get_picklists method to soap/customerportal.php, (2) where parameter in the get_tickets_list method to soap/customerportal.php, or (3) emailaddress parameter in the SearchContactsByEmail method to soap/vtigerolservice.php; or remote authenticated users to execute arbitrary SQL commands via the (4) emailaddress parameter in the SearchContactsByEmail method to soap/thunderbirdplugin.php. Vtiger CRM Is SQL An injection vulnerability exists.By any third party, via the following parameters SQL The command may be executed. (4) soap/thunderbirdplugin.php of SearchContactsByEmail In the method emailaddress Parameters. vtiger CRM is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query. \nExploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. \nvtiger CRM 5.0.0 through versions 5.4.0 are vulnerable. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information. The vulnerability comes from the fact that the soap/customerportal.php script does not correctly filter the \u0027picklist_name\u0027 parameter in the get_picklists method; the soap/customerportal.php script does not correctly filter the get_tickets_list method The \u0027where\u0027 parameter; the soap/vtigerolservice.php script does not correctly filter the \u0027emailaddress\u0027 parameter in the SearchContactsByEmail method; the soap/thunderbirdplugin.php script does not correctly filter the \u0027emailaddress\u0027 parameter in the SearchContactsByEmail method. \n\n\n[-] Vulnerability Description:\n\n1) The vulnerable code is located in the get_picklists SOAP method defined in /soap/customerportal.php:\n\n1177. \t$id = $input_array[\u0027id\u0027];\n1178. \t$sessionid = $input_array[\u0027sessionid\u0027];\n1179. \t$picklist_name = $adb-\u003esql_escape_string($input_array[\u0027picklist_name\u0027]);\n1180. \n1181. \tif(!validateSession($id,$sessionid))\n1182. \treturn null;\n1183. \n1184. \t$picklist_array = Array();\n1185. \n1186. \t$admin_role = \u0027H2\u0027;\n1187. \t$userid = getPortalUserid();\n1188. \t$roleres = $adb-\u003epquery(\"SELECT roleid from vtiger_user2role where userid = ?\", array($userid));\n1189. \t$RowCount = $adb-\u003enum_rows($roleres);\n1190. \tif($RowCount \u003e 0){\n1191. \t\t$admin_role = $adb-\u003equery_result($roleres,0,\u0027roleid\u0027);\n1192. \t}\n1193. \n1194. \t$res = $adb-\u003epquery(\"select vtiger_\". $picklist_name.\".* from vtiger_\". $picklist_name.\" inner join [...]\n\nUser input passed through the \"picklist_name\" parameter seems to be correctly sanitised by the\nsql_escape_string() method, but the vulnerability exists because it\u0027s used in the query at line 1194\nwithout single or double quotes. This can be exploited to conduct blind SQL injection attacks. \n\n2) The vulnerable code is located in the get_tickets_list SOAP method defined in /soap/customerportal.php:\n\n654. \t$id = $input_array[\u0027id\u0027];\n655. \t$only_mine = $input_array[\u0027onlymine\u0027];\n656. \t$where = $input_array[\u0027where\u0027]; //addslashes is already added with where condition fields in portal itself\n657. \t$match = $input_array[\u0027match\u0027];\n658. \t$sessionid = $input_array[\u0027sessionid\u0027];\n659. \n660. \tif(!validateSession($id,$sessionid))\n661. \t\treturn null;\n662. \n663. \t// Prepare where conditions based on search query\n664. \t$join_type = \u0027\u0027;\n665. \t$where_conditions = \u0027\u0027;\n666. \tif(trim($where) != \u0027\u0027) {\n667. \t\tif($match == \u0027all\u0027 || $match == \u0027\u0027) {\n668. \t\t\t$join_type = \" AND \";\n669. \t\t} elseif($match == \u0027any\u0027) {\n670. \t\t\t$join_type = \" OR \";\n671. \t\t}\n672. \t\t$where = explode(\"\u0026\u0026\u0026\",$where);\n673. \t\t$where_conditions = implode($join_type, $where);\n\n[...]\n\n707. \t$query = \"SELECT vtiger_troubletickets.*, vtiger_crmentity.smownerid,vtiger_crmentity.createdtime, [...]\n708. \t\tFROM vtiger_troubletickets\n709. \t\tINNER JOIN vtiger_crmentity ON vtiger_crmentity.crmid = vtiger_troubletickets.ticketid AND [...]\n710. \t\tWHERE vtiger_troubletickets.parent_id IN (\". generateQuestionMarks($entity_ids_list) .\")\";\n711. \t// Add conditions if there are any search parameters\n712. \tif ($join_type != \u0027\u0027 \u0026\u0026 $where_conditions != \u0027\u0027) {\n713. \t\t$query .= \" AND (\".$where_conditions.\")\";\n714. \t}\n\nUser input passed through the \"where\" parameter isn\u0027t properly validated before being\nused in a SQL query at line 713. This can be exploited to conduct SQL injection attacks. \n\n3) The vulnerable code is located in the SearchContactsByEmail SOAP method defined in /soap/thunderbirdplugin.php:\n\n186. \tfunction SearchContactsByEmail($username,$password,$emailaddress)\n187. \t{\n188. \t  if(authentication($username,$password))\n189. \t  {\n190. \t     require_once(\u0027modules/Contacts/Contacts.php\u0027);\n191. \t\n192. \t     $seed_contact = new Contacts();\n193. \t     $output_list = Array();\n194. \t\n195. \t     $response = $seed_contact-\u003eget_searchbyemailid($username,$emailaddress);\n\nUser input passed through the \"emailaddress\" parameter isn\u0027t properly validated before being used\nin a call to the Contacts::get_searchbyemailid() method at line 195. This can be exploited to conduct\nSQL injection attacks. Successful exploitation of this vulnerability requires authentication. \n\n4) The vulnerable code is located in the SearchContactsByEmail SOAP method defined in /soap/vtigerolservice.php:\n\n282. \tfunction SearchContactsByEmail($username,$session,$emailaddress)\n283. \t{\n284. \t\tif(!validateSession($username,$session))\n285. \t\treturn null;\n286. \t\trequire_once(\u0027modules/Contacts/Contacts.php\u0027);\n287. \t\n288. \t     $seed_contact = new Contacts();\n289. \t     $output_list = Array();\n290. \t\n291. \t     $response = $seed_contact-\u003eget_searchbyemailid($username,$emailaddress);\n\nUser input passed through the \"emailaddress\" parameter isn\u0027t properly validated before being used in\na call to the Contacts::get_searchbyemailid() method at line 291. This can be exploited to conduct SQL\ninjection attacks. Successful exploitation of this vulnerability requires knowledge of a valid username. \n\n\n[-] Solution:\n\nApply the vendor patch:http://www.vtiger.com/blogs/?p=1467\n\n\n[-] Disclosure Timeline:\n\n[13/01/2013] - Vendor notified\n[06/02/2013] - Vendor asked feedback abouthttp://trac.vtiger.com/cgi-bin/trac.cgi/changeset/13848\n[05/03/2013] - Feedback provided to the vendor\n[26/03/2013] - Vendor patch released\n[18/04/2013] - CVE number requested\n[20/04/2013] - CVE number assigned\n[01/08/2013] - Public disclosure\n\n\n[-] CVE Reference:\n\nThe Common Vulnerabilities and Exposures project (cve.mitre.org)\nhas assigned the name CVE-2013-3213 to these vulnerabilities. \n\n\n[-] Credits:\n\nVulnerabilities discovered by Egidio Romano. \n\n\n[-] Original Advisory:\n\nhttp://karmainsecurity.com/KIS-2013-06\n\n",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2013-3213"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2013-006283"
          },
          {
            "db": "BID",
            "id": "61563"
          },
          {
            "db": "VULHUB",
            "id": "VHN-63215"
          },
          {
            "db": "PACKETSTORM",
            "id": "122641"
          }
        ],
        "trust": 2.07
      },
      "exploit_availability": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "reference": "https://www.scap.org.cn/vuln/vhn-63215",
            "trust": 0.1,
            "type": "unknown"
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-63215"
          }
        ]
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2013-3213",
            "trust": 2.9
          },
          {
            "db": "BID",
            "id": "61563",
            "trust": 2.0
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2013-006283",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201308-014",
            "trust": 0.7
          },
          {
            "db": "XF",
            "id": "86129",
            "trust": 0.6
          },
          {
            "db": "XF",
            "id": "20133213",
            "trust": 0.6
          },
          {
            "db": "BUGTRAQ",
            "id": "20130801 [KIS-2013-06] VTIGER CRM \u003c= 5.4.0 (SOAP SERVICES) MULTIPLE SQL INJECTION VULNERABILITIES",
            "trust": 0.6
          },
          {
            "db": "PACKETSTORM",
            "id": "122641",
            "trust": 0.2
          },
          {
            "db": "EXPLOIT-DB",
            "id": "27279",
            "trust": 0.1
          },
          {
            "db": "VULHUB",
            "id": "VHN-63215",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-63215"
          },
          {
            "db": "BID",
            "id": "61563"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2013-006283"
          },
          {
            "db": "PACKETSTORM",
            "id": "122641"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201308-014"
          },
          {
            "db": "NVD",
            "id": "CVE-2013-3213"
          }
        ]
      },
      "id": "VAR-201404-0102",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-63215"
          }
        ],
        "trust": 0.62916664
      },
      "last_update_date": "2025-04-13T23:17:40.611000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Vtiger 5.4.0 Security Patch Released",
            "trust": 0.8,
            "url": "https://www.vtiger.com/blogs/?p=1467"
          },
          {
            "title": "vtigercrm6.0.0",
            "trust": 0.6,
            "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=49112"
          },
          {
            "title": "vtigercrm600",
            "trust": 0.6,
            "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=49111"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2013-006283"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201308-014"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-89",
            "trust": 1.9
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-63215"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2013-006283"
          },
          {
            "db": "NVD",
            "id": "CVE-2013-3213"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.1,
            "url": "https://www.vtiger.com/blogs/?p=1467"
          },
          {
            "trust": 2.1,
            "url": "http://karmainsecurity.com/kis-2013-06"
          },
          {
            "trust": 1.7,
            "url": "http://www.securityfocus.com/bid/61563"
          },
          {
            "trust": 1.7,
            "url": "http://archives.neohapsis.com/archives/bugtraq/2013-08/0001.html"
          },
          {
            "trust": 1.1,
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86129"
          },
          {
            "trust": 0.8,
            "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-3213"
          },
          {
            "trust": 0.8,
            "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-3213"
          },
          {
            "trust": 0.6,
            "url": "http://xforce.iss.net/xforce/xfdb/86129"
          },
          {
            "trust": 0.3,
            "url": "http://sourceforge.net/projects/vtigercrm/files/vtiger%20crm%205.1.0/"
          },
          {
            "trust": 0.1,
            "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/13848"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2013-3213"
          },
          {
            "trust": 0.1,
            "url": "http://www.vtiger.com/"
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-63215"
          },
          {
            "db": "BID",
            "id": "61563"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2013-006283"
          },
          {
            "db": "PACKETSTORM",
            "id": "122641"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201308-014"
          },
          {
            "db": "NVD",
            "id": "CVE-2013-3213"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULHUB",
            "id": "VHN-63215"
          },
          {
            "db": "BID",
            "id": "61563"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2013-006283"
          },
          {
            "db": "PACKETSTORM",
            "id": "122641"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201308-014"
          },
          {
            "db": "NVD",
            "id": "CVE-2013-3213"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2014-04-02T00:00:00",
            "db": "VULHUB",
            "id": "VHN-63215"
          },
          {
            "date": "2013-08-01T00:00:00",
            "db": "BID",
            "id": "61563"
          },
          {
            "date": "2014-04-03T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2013-006283"
          },
          {
            "date": "2013-08-01T18:32:11",
            "db": "PACKETSTORM",
            "id": "122641"
          },
          {
            "date": "2013-08-02T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201308-014"
          },
          {
            "date": "2014-04-02T16:05:49.267000",
            "db": "NVD",
            "id": "CVE-2013-3213"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2017-08-29T00:00:00",
            "db": "VULHUB",
            "id": "VHN-63215"
          },
          {
            "date": "2013-08-01T00:00:00",
            "db": "BID",
            "id": "61563"
          },
          {
            "date": "2014-04-03T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2013-006283"
          },
          {
            "date": "2014-04-03T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201308-014"
          },
          {
            "date": "2025-04-12T10:46:40.837000",
            "db": "NVD",
            "id": "CVE-2013-3213"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "PACKETSTORM",
            "id": "122641"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201308-014"
          }
        ],
        "trust": 0.7
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Vtiger CRM In  SQL Injection vulnerability",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2013-006283"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "sql injection",
        "sources": [
          {
            "db": "PACKETSTORM",
            "id": "122641"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201308-014"
          }
        ],
        "trust": 0.7
      }
    }

    VAR-201408-0376

    Vulnerability from variot - Updated: 2025-04-12 22:59

    Directory traversal vulnerability in kcfinder/browse.php in Vtiger CRM before 6.0.0 Security patch 1 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter in a download action. NOTE: it is likely that this issue is actually in the KCFinder third-party component, and it affects additional products besides Vtiger CRM. Vtiger CRM of kcfinder/browse.php Contains a directory traversal vulnerability. An attacker can exploit this issue using directory-traversal strings to view files and execute local script code in the context of the web server process. This may allow the attacker to compromise the application; other attacks are also possible. vtiger CRM 5.4.0, 6.0 RC and 6.0.0 GA are vulnerable; other versions may also be affected. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-201408-0376",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "crm",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "6.0.0"
          },
          {
            "model": "crm",
            "scope": "lt",
            "trust": 0.8,
            "vendor": "vtiger",
            "version": "6.0.0 security patch 1"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.6,
            "vendor": "vtiger",
            "version": "6.0.0"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-003799"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201406-506"
          },
          {
            "db": "NVD",
            "id": "CVE-2014-1222"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "cpe_match": [
                  {
                    "cpe22Uri": "cpe:/a:vtiger:vtiger_crm",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-003799"
          }
        ]
      },
      "credits": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/credits#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Jerzy Kramarz",
        "sources": [
          {
            "db": "BID",
            "id": "66136"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201406-506"
          }
        ],
        "trust": 0.9
      },
      "cve": "CVE-2014-1222",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "SINGLE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "NONE",
                "baseScore": 4.0,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 8.0,
                "id": "CVE-2014-1222",
                "impactScore": 2.9,
                "integrityImpact": "NONE",
                "severity": "MEDIUM",
                "trust": 1.8,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
                "version": "2.0"
              },
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "SINGLE",
                "author": "VULHUB",
                "availabilityImpact": "NONE",
                "baseScore": 4.0,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 8.0,
                "id": "VHN-69160",
                "impactScore": 2.9,
                "integrityImpact": "NONE",
                "severity": "MEDIUM",
                "trust": 0.1,
                "vectorString": "AV:N/AC:L/AU:S/C:P/I:N/A:N",
                "version": "2.0"
              }
            ],
            "cvssV3": [],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2014-1222",
                "trust": 1.0,
                "value": "MEDIUM"
              },
              {
                "author": "NVD",
                "id": "CVE-2014-1222",
                "trust": 0.8,
                "value": "Medium"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-201406-506",
                "trust": 0.6,
                "value": "MEDIUM"
              },
              {
                "author": "VULHUB",
                "id": "VHN-69160",
                "trust": 0.1,
                "value": "MEDIUM"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-69160"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-003799"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201406-506"
          },
          {
            "db": "NVD",
            "id": "CVE-2014-1222"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Directory traversal vulnerability in kcfinder/browse.php in Vtiger CRM before 6.0.0 Security patch 1 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter in a download action.  NOTE: it is likely that this issue is actually in the KCFinder third-party component, and it affects additional products besides Vtiger CRM. Vtiger CRM of kcfinder/browse.php Contains a directory traversal vulnerability. \nAn attacker can exploit this issue using directory-traversal strings to view files and execute local script code in the context of the web server process. This may allow the attacker to compromise the application; other attacks are also possible. \nvtiger CRM 5.4.0, 6.0 RC and 6.0.0 GA are vulnerable; other versions may also be affected. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2014-1222"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-003799"
          },
          {
            "db": "BID",
            "id": "66136"
          },
          {
            "db": "VULHUB",
            "id": "VHN-69160"
          }
        ],
        "trust": 1.98
      },
      "exploit_availability": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "reference": "https://www.scap.org.cn/vuln/vhn-69160",
            "trust": 0.1,
            "type": "unknown"
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-69160"
          }
        ]
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2014-1222",
            "trust": 2.8
          },
          {
            "db": "BID",
            "id": "66136",
            "trust": 1.0
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-003799",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201406-506",
            "trust": 0.7
          },
          {
            "db": "SECUNIA",
            "id": "57149",
            "trust": 0.6
          },
          {
            "db": "EXPLOIT-DB",
            "id": "36581",
            "trust": 0.1
          },
          {
            "db": "EXPLOIT-DB",
            "id": "32213",
            "trust": 0.1
          },
          {
            "db": "EXPLOIT-DB",
            "id": "27597",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "125685",
            "trust": 0.1
          },
          {
            "db": "SEEBUG",
            "id": "SSVID-85512",
            "trust": 0.1
          },
          {
            "db": "SEEBUG",
            "id": "SSVID-81201",
            "trust": 0.1
          },
          {
            "db": "VULHUB",
            "id": "VHN-69160",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-69160"
          },
          {
            "db": "BID",
            "id": "66136"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-003799"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201406-506"
          },
          {
            "db": "NVD",
            "id": "CVE-2014-1222"
          }
        ]
      },
      "id": "VAR-201408-0376",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-69160"
          }
        ],
        "trust": 0.62916664
      },
      "last_update_date": "2025-04-12T22:59:37.590000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "vtigercrm-600-security-patch1.zip",
            "trust": 0.8,
            "url": "http://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%206.0.0/Add-ons/vtigercrm-600-security-patch1.zip/download"
          },
          {
            "title": "Top Page",
            "trust": 0.8,
            "url": "https://www.vtiger.com/"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-003799"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-22",
            "trust": 1.9
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-69160"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-003799"
          },
          {
            "db": "NVD",
            "id": "CVE-2014-1222"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.5,
            "url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-1222/"
          },
          {
            "trust": 1.7,
            "url": "http://sourceforge.net/projects/vtigercrm/files/vtiger%20crm%206.0.0/add-ons/vtigercrm-600-security-patch1.zip/download"
          },
          {
            "trust": 1.1,
            "url": "http://www.securityfocus.com/archive/1/531423/100/0/threaded"
          },
          {
            "trust": 0.8,
            "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-1222"
          },
          {
            "trust": 0.8,
            "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-1222"
          },
          {
            "trust": 0.6,
            "url": "http://www.securityfocus.com/archive/1/archive/1/531423/100/0/threaded"
          },
          {
            "trust": 0.6,
            "url": "http://secunia.com/advisories/57149"
          },
          {
            "trust": 0.6,
            "url": "http://www.securityfocus.com/bid/66136"
          },
          {
            "trust": 0.3,
            "url": "http://www.vtiger.com/"
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-69160"
          },
          {
            "db": "BID",
            "id": "66136"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-003799"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201406-506"
          },
          {
            "db": "NVD",
            "id": "CVE-2014-1222"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULHUB",
            "id": "VHN-69160"
          },
          {
            "db": "BID",
            "id": "66136"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-003799"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201406-506"
          },
          {
            "db": "NVD",
            "id": "CVE-2014-1222"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2014-08-12T00:00:00",
            "db": "VULHUB",
            "id": "VHN-69160"
          },
          {
            "date": "2014-03-12T00:00:00",
            "db": "BID",
            "id": "66136"
          },
          {
            "date": "2014-08-15T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2014-003799"
          },
          {
            "date": "2014-03-12T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201406-506"
          },
          {
            "date": "2014-08-12T23:55:03.360000",
            "db": "NVD",
            "id": "CVE-2014-1222"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2018-10-09T00:00:00",
            "db": "VULHUB",
            "id": "VHN-69160"
          },
          {
            "date": "2014-03-12T00:00:00",
            "db": "BID",
            "id": "66136"
          },
          {
            "date": "2015-01-07T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2014-003799"
          },
          {
            "date": "2014-08-13T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201406-506"
          },
          {
            "date": "2025-04-12T10:46:40.837000",
            "db": "NVD",
            "id": "CVE-2014-1222"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-201406-506"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Vtiger CRM of  kcfinder/browse.php Vulnerable to directory traversal",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-003799"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "path traversal",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-201406-506"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-201112-0339

    Vulnerability from variot - Updated: 2025-04-11 23:15

    vtiger CRM before 5.3.0 does not properly recognize the disabled status of a field in the Leads module, which allows remote authenticated users to bypass intended access restrictions by reading a previously created report. Vtiger CRM is a Web-based Sales Capability Automation (SFA)-based Customer Relationship Management System (CRM). A vulnerability exists in versions prior to vtiger CRM 5.3.0 that stems from the inability to correctly identify the status of a defective field in the Leads module. vtiger CRM is prone to a security-bypass vulnerability. Attackers may exploit the issue to bypass certain unspecified security restrictions and gain unauthorized access. Versions prior to vtiger CRM 5.3.0 are vulnerable. The management system provides functions such as management, collection, and analysis of customer information

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-201112-0339",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "crm",
            "scope": "lt",
            "trust": 1.8,
            "vendor": "vtiger",
            "version": "5.3.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.9,
            "vendor": "vtiger",
            "version": "5.2.1"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.9,
            "vendor": "vtiger",
            "version": "5.0.4"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.9,
            "vendor": "vtiger",
            "version": "5.0.3"
          },
          {
            "model": "crm",
            "scope": "lte",
            "trust": 0.6,
            "vendor": "vtiger",
            "version": "\u003c=5.2.x"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.6,
            "vendor": "vtiger",
            "version": "5.1.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.6,
            "vendor": "vtiger",
            "version": "5.0.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.6,
            "vendor": "vtiger",
            "version": "5.2.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.6,
            "vendor": "vtiger",
            "version": "5.0.2"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.6,
            "vendor": "vtiger",
            "version": "1.0"
          },
          {
            "model": null,
            "scope": "eq",
            "trust": 0.4,
            "vendor": "vtiger crm",
            "version": "*"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "5.2"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "4.2.4"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "4.2"
          },
          {
            "model": "crm rc",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "5.0.4"
          },
          {
            "model": "crm",
            "scope": "ne",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "5.3"
          }
        ],
        "sources": [
          {
            "db": "IVD",
            "id": "7d716c21-463f-11e9-be3d-000c29342cb1"
          },
          {
            "db": "IVD",
            "id": "57ca12f8-2354-11e6-abef-000c29c66e3d"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2011-5717"
          },
          {
            "db": "BID",
            "id": "51024"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003299"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201112-080"
          },
          {
            "db": "NVD",
            "id": "CVE-2011-4679"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "cpe_match": [
                  {
                    "cpe22Uri": "cpe:/a:vtiger:vtiger_crm",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003299"
          }
        ]
      },
      "credits": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/credits#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "pratim",
        "sources": [
          {
            "db": "BID",
            "id": "51024"
          }
        ],
        "trust": 0.3
      },
      "cve": "CVE-2011-4679",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "SINGLE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "NONE",
                "baseScore": 4.0,
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 8.0,
                "id": "CVE-2011-4679",
                "impactScore": 2.9,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 1.8,
                "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
                "version": "2.0"
              },
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "SINGLE",
                "author": "CNVD",
                "availabilityImpact": "NONE",
                "baseScore": 4.0,
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 8.0,
                "id": "CNVD-2011-5717",
                "impactScore": 2.9,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 0.6,
                "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
                "version": "2.0"
              },
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "SINGLE",
                "author": "IVD",
                "availabilityImpact": "NONE",
                "baseScore": 4.0,
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 8.0,
                "id": "7d716c21-463f-11e9-be3d-000c29342cb1",
                "impactScore": 2.9,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 0.2,
                "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
                "version": "2.9 [IVD]"
              },
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "SINGLE",
                "author": "IVD",
                "availabilityImpact": "NONE",
                "baseScore": 4.0,
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 8.0,
                "id": "57ca12f8-2354-11e6-abef-000c29c66e3d",
                "impactScore": 2.9,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 0.2,
                "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
                "version": "2.9 [IVD]"
              },
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "SINGLE",
                "author": "VULHUB",
                "availabilityImpact": "NONE",
                "baseScore": 4.0,
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 8.0,
                "id": "VHN-52624",
                "impactScore": 2.9,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 0.1,
                "vectorString": "AV:N/AC:L/AU:S/C:N/I:P/A:N",
                "version": "2.0"
              }
            ],
            "cvssV3": [],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2011-4679",
                "trust": 1.0,
                "value": "MEDIUM"
              },
              {
                "author": "NVD",
                "id": "CVE-2011-4679",
                "trust": 0.8,
                "value": "Medium"
              },
              {
                "author": "CNVD",
                "id": "CNVD-2011-5717",
                "trust": 0.6,
                "value": "MEDIUM"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-201112-080",
                "trust": 0.6,
                "value": "MEDIUM"
              },
              {
                "author": "IVD",
                "id": "7d716c21-463f-11e9-be3d-000c29342cb1",
                "trust": 0.2,
                "value": "MEDIUM"
              },
              {
                "author": "IVD",
                "id": "57ca12f8-2354-11e6-abef-000c29c66e3d",
                "trust": 0.2,
                "value": "MEDIUM"
              },
              {
                "author": "VULHUB",
                "id": "VHN-52624",
                "trust": 0.1,
                "value": "MEDIUM"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "IVD",
            "id": "7d716c21-463f-11e9-be3d-000c29342cb1"
          },
          {
            "db": "IVD",
            "id": "57ca12f8-2354-11e6-abef-000c29c66e3d"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2011-5717"
          },
          {
            "db": "VULHUB",
            "id": "VHN-52624"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003299"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201112-080"
          },
          {
            "db": "NVD",
            "id": "CVE-2011-4679"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "vtiger CRM before 5.3.0 does not properly recognize the disabled status of a field in the Leads module, which allows remote authenticated users to bypass intended access restrictions by reading a previously created report. Vtiger CRM is a Web-based Sales Capability Automation (SFA)-based Customer Relationship Management System (CRM). A vulnerability exists in versions prior to vtiger CRM 5.3.0 that stems from the inability to correctly identify the status of a defective field in the Leads module. vtiger CRM is prone to a security-bypass vulnerability. \nAttackers may exploit the issue to bypass certain unspecified security restrictions and gain unauthorized access. \nVersions prior to vtiger CRM 5.3.0 are vulnerable. The management system provides functions such as management, collection, and analysis of customer information",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2011-4679"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003299"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2011-5717"
          },
          {
            "db": "BID",
            "id": "51024"
          },
          {
            "db": "IVD",
            "id": "7d716c21-463f-11e9-be3d-000c29342cb1"
          },
          {
            "db": "IVD",
            "id": "57ca12f8-2354-11e6-abef-000c29c66e3d"
          },
          {
            "db": "VULHUB",
            "id": "VHN-52624"
          }
        ],
        "trust": 2.88
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2011-4679",
            "trust": 3.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201112-080",
            "trust": 1.1
          },
          {
            "db": "CNVD",
            "id": "CNVD-2011-5717",
            "trust": 1.0
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003299",
            "trust": 0.8
          },
          {
            "db": "BID",
            "id": "51024",
            "trust": 0.4
          },
          {
            "db": "IVD",
            "id": "7D716C21-463F-11E9-BE3D-000C29342CB1",
            "trust": 0.2
          },
          {
            "db": "IVD",
            "id": "57CA12F8-2354-11E6-ABEF-000C29C66E3D",
            "trust": 0.2
          },
          {
            "db": "VULHUB",
            "id": "VHN-52624",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "IVD",
            "id": "7d716c21-463f-11e9-be3d-000c29342cb1"
          },
          {
            "db": "IVD",
            "id": "57ca12f8-2354-11e6-abef-000c29c66e3d"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2011-5717"
          },
          {
            "db": "VULHUB",
            "id": "VHN-52624"
          },
          {
            "db": "BID",
            "id": "51024"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003299"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201112-080"
          },
          {
            "db": "NVD",
            "id": "CVE-2011-4679"
          }
        ]
      },
      "id": "VAR-201112-0339",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "IVD",
            "id": "7d716c21-463f-11e9-be3d-000c29342cb1"
          },
          {
            "db": "IVD",
            "id": "57ca12f8-2354-11e6-abef-000c29c66e3d"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2011-5717"
          },
          {
            "db": "VULHUB",
            "id": "VHN-52624"
          }
        ],
        "trust": 1.6291666400000002
      },
      "iot_taxonomy": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "category": [
              "ICS"
            ],
            "sub_category": null,
            "trust": 1.0
          }
        ],
        "sources": [
          {
            "db": "IVD",
            "id": "7d716c21-463f-11e9-be3d-000c29342cb1"
          },
          {
            "db": "IVD",
            "id": "57ca12f8-2354-11e6-abef-000c29c66e3d"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2011-5717"
          }
        ]
      },
      "last_update_date": "2025-04-11T23:15:35.136000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Ticket #7003",
            "trust": 0.8,
            "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/7003"
          },
          {
            "title": "Ticket #7004",
            "trust": 0.8,
            "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/7004"
          },
          {
            "title": "Oct2011:ODUpdate",
            "trust": 0.8,
            "url": "http://wiki.vtiger.com/index.php/Oct2011:ODUpdate"
          },
          {
            "title": "Patch for vtiger CRM Leads module security vulnerability",
            "trust": 0.6,
            "url": "https://www.cnvd.org.cn/patchInfo/show/37813"
          },
          {
            "title": "vtigercrm-521-530-patch",
            "trust": 0.6,
            "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=41995"
          },
          {
            "title": "vtigercrm-5.3.0",
            "trust": 0.6,
            "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=41994"
          },
          {
            "title": "vtigercrm-5.3.0",
            "trust": 0.6,
            "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=41993"
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2011-5717"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003299"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201112-080"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-264",
            "trust": 1.9
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-52624"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003299"
          },
          {
            "db": "NVD",
            "id": "CVE-2011-4679"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.0,
            "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/7003"
          },
          {
            "trust": 2.0,
            "url": "http://wiki.vtiger.com/index.php/oct2011:odupdate"
          },
          {
            "trust": 1.7,
            "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/7004"
          },
          {
            "trust": 1.4,
            "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-4679"
          },
          {
            "trust": 0.8,
            "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-4679"
          },
          {
            "trust": 0.3,
            "url": "http://www.vtiger.com/"
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2011-5717"
          },
          {
            "db": "VULHUB",
            "id": "VHN-52624"
          },
          {
            "db": "BID",
            "id": "51024"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003299"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201112-080"
          },
          {
            "db": "NVD",
            "id": "CVE-2011-4679"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "IVD",
            "id": "7d716c21-463f-11e9-be3d-000c29342cb1"
          },
          {
            "db": "IVD",
            "id": "57ca12f8-2354-11e6-abef-000c29c66e3d"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2011-5717"
          },
          {
            "db": "VULHUB",
            "id": "VHN-52624"
          },
          {
            "db": "BID",
            "id": "51024"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003299"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201112-080"
          },
          {
            "db": "NVD",
            "id": "CVE-2011-4679"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2011-12-08T00:00:00",
            "db": "IVD",
            "id": "7d716c21-463f-11e9-be3d-000c29342cb1"
          },
          {
            "date": "2011-12-08T00:00:00",
            "db": "IVD",
            "id": "57ca12f8-2354-11e6-abef-000c29c66e3d"
          },
          {
            "date": "2011-12-08T00:00:00",
            "db": "CNVD",
            "id": "CNVD-2011-5717"
          },
          {
            "date": "2011-12-07T00:00:00",
            "db": "VULHUB",
            "id": "VHN-52624"
          },
          {
            "date": "2011-01-04T00:00:00",
            "db": "BID",
            "id": "51024"
          },
          {
            "date": "2011-12-12T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2011-003299"
          },
          {
            "date": "2011-12-08T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201112-080"
          },
          {
            "date": "2011-12-07T19:55:02.440000",
            "db": "NVD",
            "id": "CVE-2011-4679"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2011-12-08T00:00:00",
            "db": "CNVD",
            "id": "CNVD-2011-5717"
          },
          {
            "date": "2017-11-22T00:00:00",
            "db": "VULHUB",
            "id": "VHN-52624"
          },
          {
            "date": "2011-01-04T00:00:00",
            "db": "BID",
            "id": "51024"
          },
          {
            "date": "2011-12-12T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2011-003299"
          },
          {
            "date": "2011-12-08T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201112-080"
          },
          {
            "date": "2025-04-11T00:51:21.963000",
            "db": "NVD",
            "id": "CVE-2011-4679"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-201112-080"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "vtiger CRM Leads Module Security Vulnerability",
        "sources": [
          {
            "db": "IVD",
            "id": "7d716c21-463f-11e9-be3d-000c29342cb1"
          },
          {
            "db": "IVD",
            "id": "57ca12f8-2354-11e6-abef-000c29c66e3d"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2011-5717"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201112-080"
          }
        ],
        "trust": 1.6
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "permissions and access control",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-201112-080"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-201209-0439

    Vulnerability from variot - Updated: 2025-04-11 23:09

    Directory traversal vulnerability in modules/com_vtiger_workflow/sortfieldsjson.php in vtiger CRM 5.1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the module_name parameter. vtiger CRM of modules/com_vtiger_workflow/sortfieldsjson.php Contains a directory traversal vulnerability.By a third party .. Vtiger CRM is a Web-based Sales Capability Automation (SFA)-based Customer Relationship Management System (CRM). The management system provides functions such as management, collection, and analysis of customer information

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-201209-0439",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "crm",
            "scope": "eq",
            "trust": 2.4,
            "vendor": "vtiger",
            "version": "5.1.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.6,
            "vendor": "vtiger",
            "version": "5.x"
          },
          {
            "model": null,
            "scope": "eq",
            "trust": 0.4,
            "vendor": "vtiger crm",
            "version": "5.1.0"
          }
        ],
        "sources": [
          {
            "db": "IVD",
            "id": "7d720862-463f-11e9-bdf0-000c29342cb1"
          },
          {
            "db": "IVD",
            "id": "6618136a-2353-11e6-abef-000c29c66e3d"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2012-8109"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2012-004162"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201209-078"
          },
          {
            "db": "NVD",
            "id": "CVE-2012-4867"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "cpe_match": [
                  {
                    "cpe22Uri": "cpe:/a:vtiger:vtiger_crm",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2012-004162"
          }
        ]
      },
      "cve": "CVE-2012-4867",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "NONE",
                "baseScore": 5.0,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 10.0,
                "id": "CVE-2012-4867",
                "impactScore": 2.9,
                "integrityImpact": "NONE",
                "severity": "MEDIUM",
                "trust": 1.8,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
                "version": "2.0"
              },
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "CNVD",
                "availabilityImpact": "PARTIAL",
                "baseScore": 7.5,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 10.0,
                "id": "CNVD-2012-8109",
                "impactScore": 6.4,
                "integrityImpact": "PARTIAL",
                "severity": "HIGH",
                "trust": 0.6,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
                "version": "2.0"
              },
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "IVD",
                "availabilityImpact": "PARTIAL",
                "baseScore": 7.5,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 10.0,
                "id": "7d720862-463f-11e9-bdf0-000c29342cb1",
                "impactScore": 6.4,
                "integrityImpact": "PARTIAL",
                "severity": "HIGH",
                "trust": 0.2,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
                "version": "2.9 [IVD]"
              },
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "IVD",
                "availabilityImpact": "PARTIAL",
                "baseScore": 7.5,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 10.0,
                "id": "6618136a-2353-11e6-abef-000c29c66e3d",
                "impactScore": 6.4,
                "integrityImpact": "PARTIAL",
                "severity": "HIGH",
                "trust": 0.2,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
                "version": "2.9 [IVD]"
              },
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "VULHUB",
                "availabilityImpact": "NONE",
                "baseScore": 5.0,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 10.0,
                "id": "VHN-58148",
                "impactScore": 2.9,
                "integrityImpact": "NONE",
                "severity": "MEDIUM",
                "trust": 0.1,
                "vectorString": "AV:N/AC:L/AU:N/C:P/I:N/A:N",
                "version": "2.0"
              }
            ],
            "cvssV3": [],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2012-4867",
                "trust": 1.0,
                "value": "MEDIUM"
              },
              {
                "author": "NVD",
                "id": "CVE-2012-4867",
                "trust": 0.8,
                "value": "Medium"
              },
              {
                "author": "CNVD",
                "id": "CNVD-2012-8109",
                "trust": 0.6,
                "value": "HIGH"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-201209-078",
                "trust": 0.6,
                "value": "MEDIUM"
              },
              {
                "author": "IVD",
                "id": "7d720862-463f-11e9-bdf0-000c29342cb1",
                "trust": 0.2,
                "value": "MEDIUM"
              },
              {
                "author": "IVD",
                "id": "6618136a-2353-11e6-abef-000c29c66e3d",
                "trust": 0.2,
                "value": "MEDIUM"
              },
              {
                "author": "VULHUB",
                "id": "VHN-58148",
                "trust": 0.1,
                "value": "MEDIUM"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "IVD",
            "id": "7d720862-463f-11e9-bdf0-000c29342cb1"
          },
          {
            "db": "IVD",
            "id": "6618136a-2353-11e6-abef-000c29c66e3d"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2012-8109"
          },
          {
            "db": "VULHUB",
            "id": "VHN-58148"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2012-004162"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201209-078"
          },
          {
            "db": "NVD",
            "id": "CVE-2012-4867"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Directory traversal vulnerability in modules/com_vtiger_workflow/sortfieldsjson.php in vtiger CRM 5.1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the module_name parameter. vtiger CRM of modules/com_vtiger_workflow/sortfieldsjson.php Contains a directory traversal vulnerability.By a third party .. Vtiger CRM is a Web-based Sales Capability Automation (SFA)-based Customer Relationship Management System (CRM). The management system provides functions such as management, collection, and analysis of customer information",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2012-4867"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2012-004162"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2012-8109"
          },
          {
            "db": "IVD",
            "id": "7d720862-463f-11e9-bdf0-000c29342cb1"
          },
          {
            "db": "IVD",
            "id": "6618136a-2353-11e6-abef-000c29c66e3d"
          },
          {
            "db": "VULHUB",
            "id": "VHN-58148"
          }
        ],
        "trust": 2.61
      },
      "exploit_availability": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "reference": "https://www.scap.org.cn/vuln/vhn-58148",
            "trust": 0.1,
            "type": "unknown"
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-58148"
          }
        ]
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2012-4867",
            "trust": 3.5
          },
          {
            "db": "EXPLOIT-DB",
            "id": "18635",
            "trust": 1.7
          },
          {
            "db": "PACKETSTORM",
            "id": "111075",
            "trust": 1.7
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201209-078",
            "trust": 1.1
          },
          {
            "db": "CNVD",
            "id": "CNVD-2012-8109",
            "trust": 1.0
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2012-004162",
            "trust": 0.8
          },
          {
            "db": "IVD",
            "id": "7D720862-463F-11E9-BDF0-000C29342CB1",
            "trust": 0.2
          },
          {
            "db": "IVD",
            "id": "6618136A-2353-11E6-ABEF-000C29C66E3D",
            "trust": 0.2
          },
          {
            "db": "EXPLOIT-DB",
            "id": "18770",
            "trust": 0.1
          },
          {
            "db": "SEEBUG",
            "id": "SSVID-72808",
            "trust": 0.1
          },
          {
            "db": "VULHUB",
            "id": "VHN-58148",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "IVD",
            "id": "7d720862-463f-11e9-bdf0-000c29342cb1"
          },
          {
            "db": "IVD",
            "id": "6618136a-2353-11e6-abef-000c29c66e3d"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2012-8109"
          },
          {
            "db": "VULHUB",
            "id": "VHN-58148"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2012-004162"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201209-078"
          },
          {
            "db": "NVD",
            "id": "CVE-2012-4867"
          }
        ]
      },
      "id": "VAR-201209-0439",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "IVD",
            "id": "7d720862-463f-11e9-bdf0-000c29342cb1"
          },
          {
            "db": "IVD",
            "id": "6618136a-2353-11e6-abef-000c29c66e3d"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2012-8109"
          },
          {
            "db": "VULHUB",
            "id": "VHN-58148"
          }
        ],
        "trust": 1.6291666400000002
      },
      "iot_taxonomy": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "category": [
              "ICS"
            ],
            "sub_category": null,
            "trust": 1.0
          }
        ],
        "sources": [
          {
            "db": "IVD",
            "id": "7d720862-463f-11e9-bdf0-000c29342cb1"
          },
          {
            "db": "IVD",
            "id": "6618136a-2353-11e6-abef-000c29c66e3d"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2012-8109"
          }
        ]
      },
      "last_update_date": "2025-04-11T23:09:57.012000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Top Page",
            "trust": 0.8,
            "url": "https://www.vtiger.com/crm/"
          },
          {
            "title": "Patch for vtiger CRM path traversal vulnerability",
            "trust": 0.6,
            "url": "https://www.cnvd.org.cn/patchInfo/show/35988"
          },
          {
            "title": "vtigercrm-5.4.0",
            "trust": 0.6,
            "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=44512"
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2012-8109"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2012-004162"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201209-078"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-22",
            "trust": 1.9
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-58148"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2012-004162"
          },
          {
            "db": "NVD",
            "id": "CVE-2012-4867"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 1.7,
            "url": "http://www.exploit-db.com/exploits/18635"
          },
          {
            "trust": 1.7,
            "url": "http://packetstormsecurity.org/files/111075/vtiger-5.1.0-local-file-inclusion.html"
          },
          {
            "trust": 1.4,
            "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2012-4867"
          },
          {
            "trust": 0.8,
            "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-4867"
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2012-8109"
          },
          {
            "db": "VULHUB",
            "id": "VHN-58148"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2012-004162"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201209-078"
          },
          {
            "db": "NVD",
            "id": "CVE-2012-4867"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "IVD",
            "id": "7d720862-463f-11e9-bdf0-000c29342cb1"
          },
          {
            "db": "IVD",
            "id": "6618136a-2353-11e6-abef-000c29c66e3d"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2012-8109"
          },
          {
            "db": "VULHUB",
            "id": "VHN-58148"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2012-004162"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201209-078"
          },
          {
            "db": "NVD",
            "id": "CVE-2012-4867"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2012-09-12T00:00:00",
            "db": "IVD",
            "id": "7d720862-463f-11e9-bdf0-000c29342cb1"
          },
          {
            "date": "2012-09-12T00:00:00",
            "db": "IVD",
            "id": "6618136a-2353-11e6-abef-000c29c66e3d"
          },
          {
            "date": "2012-09-12T00:00:00",
            "db": "CNVD",
            "id": "CNVD-2012-8109"
          },
          {
            "date": "2012-09-06T00:00:00",
            "db": "VULHUB",
            "id": "VHN-58148"
          },
          {
            "date": "2012-09-10T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2012-004162"
          },
          {
            "date": "2012-09-12T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201209-078"
          },
          {
            "date": "2012-09-06T17:55:01.707000",
            "db": "NVD",
            "id": "CVE-2012-4867"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2012-09-12T00:00:00",
            "db": "CNVD",
            "id": "CNVD-2012-8109"
          },
          {
            "date": "2012-09-07T00:00:00",
            "db": "VULHUB",
            "id": "VHN-58148"
          },
          {
            "date": "2012-09-10T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2012-004162"
          },
          {
            "date": "2012-09-12T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201209-078"
          },
          {
            "date": "2025-04-11T00:51:21.963000",
            "db": "NVD",
            "id": "CVE-2012-4867"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-201209-078"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "vtiger CRM Path traversal vulnerability",
        "sources": [
          {
            "db": "IVD",
            "id": "7d720862-463f-11e9-bdf0-000c29342cb1"
          },
          {
            "db": "IVD",
            "id": "6618136a-2353-11e6-abef-000c29c66e3d"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2012-8109"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201209-078"
          }
        ],
        "trust": 1.6
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Path traversal",
        "sources": [
          {
            "db": "IVD",
            "id": "7d720862-463f-11e9-bdf0-000c29342cb1"
          },
          {
            "db": "IVD",
            "id": "6618136a-2353-11e6-abef-000c29c66e3d"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201209-078"
          }
        ],
        "trust": 1.0
      }
    }

    VAR-201011-0264

    Vulnerability from variot - Updated: 2025-04-11 23:04

    Incomplete blacklist vulnerability in config.template.php in vtiger CRM before 5.2.1 allows remote authenticated users to execute arbitrary code by using the draft save feature in the Compose Mail component to upload a file with a .phtml extension, and then accessing this file via a direct request to the file in the storage/ directory tree. vtiger CRM is prone to a remote security vulnerability. vtiger CRM is an open source web-based customer relationship management system. There is an incomplete blacklist vulnerability in the config.template.php file in vtiger CRM versions prior to 5.2.1. ----------------------------------------------------------------------

    Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta.

    Join the beta: http://secunia.com/products/corporate/vim/


    TITLE: vtiger CRM Multiple Vulnerabilities

    SECUNIA ADVISORY ID: SA42246

    VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/42246/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=42246

    RELEASE DATE: 2010-11-19

    DISCUSS ADVISORY: http://secunia.com/advisories/42246/#comments

    AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s)

    http://secunia.com/advisories/42246/

    ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS

    https://ca.secunia.com/?page=viewadvisory&vuln_id=42246

    ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING

    http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/

    DESCRIPTION: Some vulnerabilities have been discovered in vtiger CRM, which can be exploited by malicious users to compromise a vulnerable system and by malicious people to conduct cross-site scripting attacks and disclose sensitive information.

    1) An error exists in the file upload functionality due to the emails module not properly checking file names and extensions. This can be exploited to upload and execute arbitrary PHP code e.g. via ".phtml" files.

    2) Input passed e.g. via the "lang_crm" parameter to phprint.php or the "current_language" parameter to graph.php is not properly verified in the "return_application_language()" function in include/utils/utils.php before being used to include files. This can be exploited to include arbitrary file from local resources via directory traversal sequences and URL-encoded NULL bytes.

    Successful exploitation of this vulnerability requires that "magic_quotes_gpc" is disabled.

    3) Input passed via the "user_name" and "user_password" parameters to index.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

    4) Input passed via the "label" parameter to index.php (when "module" is set to "Settings" and "action" is set to "GetFieldInfo") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

    The vulnerabilities are confirmed in version 5.2.0. Other versions may also be affected.

    SOLUTION: Update to version 5.2.1.

    PROVIDED AND/OR DISCOVERED BY: Giovanni "evilaliv3" Pellerano and Alessandro "jekil" Tanasi

    ORIGINAL ADVISORY: vtiger CRM: http://wiki.vtiger.com/index.php/Vtiger521:Release_Notes

    Giovanni Pellerano and Alessandro Tanasi: http://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt

    OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/

    DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/

    EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/

    EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/

    EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/


    About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities.

    Subscribe: http://secunia.com/advisories/secunia_security_advisories/

    Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/

    Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.


    Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org


    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-201011-0264",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.9,
            "vendor": "vtiger",
            "version": "4"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.9,
            "vendor": "vtiger",
            "version": "5.1.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.9,
            "vendor": "vtiger",
            "version": "5.0.4"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.9,
            "vendor": "vtiger",
            "version": "4.2"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.9,
            "vendor": "vtiger",
            "version": "5.0.3"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "vtiger",
            "version": "3.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.3,
            "vendor": "vtiger",
            "version": "2.1"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.3,
            "vendor": "vtiger",
            "version": "5.0.2"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.3,
            "vendor": "vtiger",
            "version": "3"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.3,
            "vendor": "vtiger",
            "version": "2.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.3,
            "vendor": "vtiger",
            "version": "4.2.4"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.3,
            "vendor": "vtiger",
            "version": "1.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.3,
            "vendor": "vtiger",
            "version": "4.0.1"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.3,
            "vendor": "vtiger",
            "version": "2.0.1"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.3,
            "vendor": "vtiger",
            "version": "4.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.3,
            "vendor": "vtiger",
            "version": "3.2"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "*"
          },
          {
            "model": "crm",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "5.2.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "5.0.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.9,
            "vendor": "vtiger",
            "version": "5.2.0"
          },
          {
            "model": "crm",
            "scope": "lt",
            "trust": 0.8,
            "vendor": "vtiger",
            "version": "5.2.1"
          },
          {
            "model": "crm",
            "scope": null,
            "trust": 0.6,
            "vendor": "vtiger",
            "version": null
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "5"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "3.0.1"
          },
          {
            "model": "crm rc1",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "4"
          },
          {
            "model": "crm validation",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "4.2"
          },
          {
            "model": "crm beta",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "4"
          },
          {
            "model": "crm beta",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "3.0"
          },
          {
            "model": "crm rc",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "5.0.4"
          },
          {
            "model": "crm rc",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "5.1.0"
          }
        ],
        "sources": [
          {
            "db": "BID",
            "id": "78746"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2010-003272"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201011-248"
          },
          {
            "db": "NVD",
            "id": "CVE-2010-3909"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "cpe_match": [
                  {
                    "cpe22Uri": "cpe:/a:vtiger:vtiger_crm",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2010-003272"
          }
        ]
      },
      "credits": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/credits#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Unknown",
        "sources": [
          {
            "db": "BID",
            "id": "78746"
          }
        ],
        "trust": 0.3
      },
      "cve": "CVE-2010-3909",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "MEDIUM",
                "accessVector": "NETWORK",
                "authentication": "SINGLE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "PARTIAL",
                "baseScore": 6.0,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 6.8,
                "id": "CVE-2010-3909",
                "impactScore": 6.4,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 1.8,
                "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
                "version": "2.0"
              },
              {
                "accessComplexity": "MEDIUM",
                "accessVector": "NETWORK",
                "authentication": "SINGLE",
                "author": "VULHUB",
                "availabilityImpact": "PARTIAL",
                "baseScore": 6.0,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 6.8,
                "id": "VHN-46514",
                "impactScore": 6.4,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 0.1,
                "vectorString": "AV:N/AC:M/AU:S/C:P/I:P/A:P",
                "version": "2.0"
              }
            ],
            "cvssV3": [],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2010-3909",
                "trust": 1.0,
                "value": "MEDIUM"
              },
              {
                "author": "NVD",
                "id": "CVE-2010-3909",
                "trust": 0.8,
                "value": "Medium"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-201011-248",
                "trust": 0.6,
                "value": "MEDIUM"
              },
              {
                "author": "VULHUB",
                "id": "VHN-46514",
                "trust": 0.1,
                "value": "MEDIUM"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-46514"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2010-003272"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201011-248"
          },
          {
            "db": "NVD",
            "id": "CVE-2010-3909"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Incomplete blacklist vulnerability in config.template.php in vtiger CRM before 5.2.1 allows remote authenticated users to execute arbitrary code by using the draft save feature in the Compose Mail component to upload a file with a .phtml extension, and then accessing this file via a direct request to the file in the storage/ directory tree. vtiger CRM is prone to a remote security vulnerability. vtiger CRM is an open source web-based customer relationship management system. There is an incomplete blacklist vulnerability in the config.template.php file in vtiger CRM versions prior to 5.2.1. ----------------------------------------------------------------------\n\n\nSecure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta. \n\nJoin the beta: \nhttp://secunia.com/products/corporate/vim/\n\n\n----------------------------------------------------------------------\n\nTITLE:\nvtiger CRM Multiple Vulnerabilities\n\nSECUNIA ADVISORY ID:\nSA42246\n\nVERIFY ADVISORY:\nSecunia.com\nhttp://secunia.com/advisories/42246/\nCustomer Area (Credentials Required)\nhttps://ca.secunia.com/?page=viewadvisory\u0026vuln_id=42246\n\nRELEASE DATE:\n2010-11-19\n\nDISCUSS ADVISORY:\nhttp://secunia.com/advisories/42246/#comments\n\nAVAILABLE ON SITE AND IN CUSTOMER AREA:\n * Last Update\n * Popularity\n * Comments\n * Criticality Level\n * Impact\n * Where\n * Solution Status\n * Operating System / Software\n * CVE Reference(s)\n\nhttp://secunia.com/advisories/42246/\n\nONLY AVAILABLE IN CUSTOMER AREA:\n * Authentication Level\n * Report Reliability\n * Secunia PoC\n * Secunia Analysis\n * Systems Affected\n * Approve Distribution\n * Remediation Status\n * Secunia CVSS Score\n * CVSS\n\nhttps://ca.secunia.com/?page=viewadvisory\u0026vuln_id=42246\n\nONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:\n * AUTOMATED SCANNING\n\nhttp://secunia.com/vulnerability_scanning/personal/\nhttp://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/\n\nDESCRIPTION:\nSome vulnerabilities have been discovered in vtiger CRM, which can be\nexploited by malicious users to compromise a vulnerable system and by\nmalicious people to conduct cross-site scripting attacks and disclose\nsensitive information. \n\n1) An error exists in the file upload functionality due to the emails\nmodule not properly checking file names and extensions. This can be\nexploited to upload and execute arbitrary PHP code e.g. via \".phtml\"\nfiles. \n\n2) Input passed e.g. via the \"lang_crm\" parameter to phprint.php or\nthe \"current_language\" parameter to graph.php is not properly\nverified in the \"return_application_language()\" function in\ninclude/utils/utils.php before being used to include files. This can\nbe exploited to include arbitrary file from local resources via\ndirectory traversal sequences and URL-encoded NULL bytes. \n\nSuccessful exploitation of this vulnerability requires that\n\"magic_quotes_gpc\" is disabled. \n\n3) Input passed via the \"user_name\" and \"user_password\" parameters to\nindex.php is not properly sanitised before being returned to the user. \nThis can be exploited to execute arbitrary HTML and script code in a\nuser\u0027s browser session in context of an affected site. \n\n4) Input passed via the \"label\" parameter to index.php (when \"module\"\nis set to \"Settings\" and \"action\" is set to \"GetFieldInfo\") is not\nproperly sanitised before being returned to the user. This can be\nexploited to execute arbitrary HTML and script code in a user\u0027s\nbrowser session in context of an affected site. \n\nThe vulnerabilities are confirmed in version 5.2.0. Other versions\nmay also be affected. \n\nSOLUTION:\nUpdate to version 5.2.1. \n\nPROVIDED AND/OR DISCOVERED BY:\nGiovanni \"evilaliv3\" Pellerano and Alessandro \"jekil\" Tanasi\n\nORIGINAL ADVISORY:\nvtiger CRM:\nhttp://wiki.vtiger.com/index.php/Vtiger521:Release_Notes\n\nGiovanni Pellerano and Alessandro Tanasi:\nhttp://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt\n\nOTHER REFERENCES:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nDEEP LINKS:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nEXTENDED DESCRIPTION:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nEXTENDED SOLUTION:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nEXPLOIT:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\nprivate users keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/advisories/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/advisories/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2010-3909"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2010-003272"
          },
          {
            "db": "BID",
            "id": "78746"
          },
          {
            "db": "VULHUB",
            "id": "VHN-46514"
          },
          {
            "db": "PACKETSTORM",
            "id": "95988"
          }
        ],
        "trust": 2.07
      },
      "exploit_availability": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "reference": "https://www.scap.org.cn/vuln/vhn-46514",
            "trust": 0.1,
            "type": "unknown"
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-46514"
          }
        ]
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2010-3909",
            "trust": 2.9
          },
          {
            "db": "SECUNIA",
            "id": "42246",
            "trust": 1.8
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2010-003272",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201011-248",
            "trust": 0.7
          },
          {
            "db": "BUGTRAQ",
            "id": "20101116 VTIGER CRM 5.2.0 MULTIPLE VULNERABILITIES",
            "trust": 0.6
          },
          {
            "db": "BID",
            "id": "78746",
            "trust": 0.4
          },
          {
            "db": "PACKETSTORM",
            "id": "95931",
            "trust": 0.2
          },
          {
            "db": "VULHUB",
            "id": "VHN-46514",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "95988",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-46514"
          },
          {
            "db": "BID",
            "id": "78746"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2010-003272"
          },
          {
            "db": "PACKETSTORM",
            "id": "95988"
          },
          {
            "db": "PACKETSTORM",
            "id": "95931"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201011-248"
          },
          {
            "db": "NVD",
            "id": "CVE-2010-3909"
          }
        ]
      },
      "id": "VAR-201011-0264",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-46514"
          }
        ],
        "trust": 0.62916664
      },
      "last_update_date": "2025-04-11T23:04:23.970000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Vtiger521:Release Notes",
            "trust": 0.8,
            "url": "http://wiki.vtiger.com/index.php/Vtiger521:Release_Notes"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2010-003272"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-94",
            "trust": 1.9
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-46514"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2010-003272"
          },
          {
            "db": "NVD",
            "id": "CVE-2010-3909"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.2,
            "url": "http://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt"
          },
          {
            "trust": 2.1,
            "url": "http://wiki.vtiger.com/index.php/vtiger521:release_notes"
          },
          {
            "trust": 2.0,
            "url": "http://vtiger.com/blogs/2010/11/16/vtiger-crm-521-is-released/"
          },
          {
            "trust": 1.7,
            "url": "http://secunia.com/advisories/42246"
          },
          {
            "trust": 1.1,
            "url": "http://www.securityfocus.com/archive/1/514846/100/0/threaded"
          },
          {
            "trust": 0.9,
            "url": "http://www.securityfocus.com/archive/1/archive/1/514846/100/0/threaded"
          },
          {
            "trust": 0.8,
            "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-3909"
          },
          {
            "trust": 0.8,
            "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-3909"
          },
          {
            "trust": 0.1,
            "url": "http://secunia.com/products/corporate/evm/"
          },
          {
            "trust": 0.1,
            "url": "http://secunia.com/advisories/secunia_security_advisories/"
          },
          {
            "trust": 0.1,
            "url": "http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/"
          },
          {
            "trust": 0.1,
            "url": "http://secunia.com/advisories/42246/#comments"
          },
          {
            "trust": 0.1,
            "url": "http://secunia.com/advisories/42246/"
          },
          {
            "trust": 0.1,
            "url": "http://secunia.com/products/corporate/vim/"
          },
          {
            "trust": 0.1,
            "url": "http://secunia.com/vulnerability_scanning/personal/"
          },
          {
            "trust": 0.1,
            "url": "https://ca.secunia.com/?page=viewadvisory\u0026vuln_id=42246"
          },
          {
            "trust": 0.1,
            "url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
          },
          {
            "trust": 0.1,
            "url": "http://secunia.com/advisories/about_secunia_advisories/"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2010-3909"
          },
          {
            "trust": 0.1,
            "url": "http://www.tanasi.it/"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2010-3911"
          },
          {
            "trust": 0.1,
            "url": "http://www.vtigercrm.com"
          },
          {
            "trust": 0.1,
            "url": "http://127.0.0.1/vtigercrm/index.php?module=users\u0026action=login\u0026default_user_name"
          },
          {
            "trust": 0.1,
            "url": "http://127.0.0.1/vtigercrm/graph.php?current_language=/../[..]/../"
          },
          {
            "trust": 0.1,
            "url": "http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt"
          },
          {
            "trust": 0.1,
            "url": "http://www.ush.it/,"
          },
          {
            "trust": 0.1,
            "url": "http://www.evilaliv3.org/"
          },
          {
            "trust": 0.1,
            "url": "http://secunia.com/"
          },
          {
            "trust": 0.1,
            "url": "http://127.0.0.1/vtigercrm/phprint.php?lang_crm=/../[..]/../"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2010-3910"
          },
          {
            "trust": 0.1,
            "url": "http://127.0.0.1/vtigercrm/index.php?module=settings\u0026action=getfieldinfo\u0026label"
          },
          {
            "trust": 0.1,
            "url": "http://lists.grok.org.uk/full-disclosure-charter.html"
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-46514"
          },
          {
            "db": "BID",
            "id": "78746"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2010-003272"
          },
          {
            "db": "PACKETSTORM",
            "id": "95988"
          },
          {
            "db": "PACKETSTORM",
            "id": "95931"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201011-248"
          },
          {
            "db": "NVD",
            "id": "CVE-2010-3909"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULHUB",
            "id": "VHN-46514"
          },
          {
            "db": "BID",
            "id": "78746"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2010-003272"
          },
          {
            "db": "PACKETSTORM",
            "id": "95988"
          },
          {
            "db": "PACKETSTORM",
            "id": "95931"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201011-248"
          },
          {
            "db": "NVD",
            "id": "CVE-2010-3909"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2010-11-26T00:00:00",
            "db": "VULHUB",
            "id": "VHN-46514"
          },
          {
            "date": "2010-11-26T00:00:00",
            "db": "BID",
            "id": "78746"
          },
          {
            "date": "2012-03-27T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2010-003272"
          },
          {
            "date": "2010-11-19T06:21:45",
            "db": "PACKETSTORM",
            "id": "95988"
          },
          {
            "date": "2010-11-18T00:23:11",
            "db": "PACKETSTORM",
            "id": "95931"
          },
          {
            "date": "2010-11-30T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201011-248"
          },
          {
            "date": "2010-11-26T20:00:03.877000",
            "db": "NVD",
            "id": "CVE-2010-3909"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2018-10-30T00:00:00",
            "db": "VULHUB",
            "id": "VHN-46514"
          },
          {
            "date": "2010-11-26T00:00:00",
            "db": "BID",
            "id": "78746"
          },
          {
            "date": "2012-03-27T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2010-003272"
          },
          {
            "date": "2010-11-30T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201011-248"
          },
          {
            "date": "2025-04-11T00:51:21.963000",
            "db": "NVD",
            "id": "CVE-2010-3909"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-201011-248"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "vtiger CRM of  config.template.php Vulnerable to arbitrary code execution",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2010-003272"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "code injection",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-201011-248"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-201011-0266

    Vulnerability from variot - Updated: 2025-04-11 23:04

    Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM before 5.2.1 allow remote attackers to inject arbitrary web script or HTML via (1) the username (aka default_user_name) field or (2) the password field in a Users Login action to index.php, or (3) the label parameter in a Settings GetFieldInfo action to index.php, related to modules/Settings/GetFieldInfo.php. vtiger CRM is prone to a cross-site scripting vulnerability. vtiger CRM is an open source web-based customer relationship management system. ----------------------------------------------------------------------

    Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta.

    Join the beta: http://secunia.com/products/corporate/vim/


    TITLE: vtiger CRM Multiple Vulnerabilities

    SECUNIA ADVISORY ID: SA42246

    VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/42246/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=42246

    RELEASE DATE: 2010-11-19

    DISCUSS ADVISORY: http://secunia.com/advisories/42246/#comments

    AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s)

    http://secunia.com/advisories/42246/

    ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS

    https://ca.secunia.com/?page=viewadvisory&vuln_id=42246

    ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING

    http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/

    DESCRIPTION: Some vulnerabilities have been discovered in vtiger CRM, which can be exploited by malicious users to compromise a vulnerable system and by malicious people to conduct cross-site scripting attacks and disclose sensitive information.

    1) An error exists in the file upload functionality due to the emails module not properly checking file names and extensions. This can be exploited to upload and execute arbitrary PHP code e.g. via ".phtml" files.

    2) Input passed e.g. via the "lang_crm" parameter to phprint.php or the "current_language" parameter to graph.php is not properly verified in the "return_application_language()" function in include/utils/utils.php before being used to include files. This can be exploited to include arbitrary file from local resources via directory traversal sequences and URL-encoded NULL bytes.

    Successful exploitation of this vulnerability requires that "magic_quotes_gpc" is disabled.

    3) Input passed via the "user_name" and "user_password" parameters to index.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

    4) Input passed via the "label" parameter to index.php (when "module" is set to "Settings" and "action" is set to "GetFieldInfo") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

    The vulnerabilities are confirmed in version 5.2.0. Other versions may also be affected.

    SOLUTION: Update to version 5.2.1.

    PROVIDED AND/OR DISCOVERED BY: Giovanni "evilaliv3" Pellerano and Alessandro "jekil" Tanasi

    ORIGINAL ADVISORY: vtiger CRM: http://wiki.vtiger.com/index.php/Vtiger521:Release_Notes

    Giovanni Pellerano and Alessandro Tanasi: http://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt

    OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/

    DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/

    EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/

    EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/

    EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/


    About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities.

    Subscribe: http://secunia.com/advisories/secunia_security_advisories/

    Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/

    Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.


    Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org


    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-201011-0266",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.9,
            "vendor": "vtiger",
            "version": "5.0.4"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.9,
            "vendor": "vtiger",
            "version": "5.0.3"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.9,
            "vendor": "vtiger",
            "version": "5.1.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.9,
            "vendor": "vtiger",
            "version": "4.2"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.9,
            "vendor": "vtiger",
            "version": "4.0.1"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.9,
            "vendor": "vtiger",
            "version": "4.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "vtiger",
            "version": "3.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.3,
            "vendor": "vtiger",
            "version": "5.0.2"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.3,
            "vendor": "vtiger",
            "version": "4.2.4"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.3,
            "vendor": "vtiger",
            "version": "4"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.3,
            "vendor": "vtiger",
            "version": "3.2"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.3,
            "vendor": "vtiger",
            "version": "3"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.3,
            "vendor": "vtiger",
            "version": "2.1"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.3,
            "vendor": "vtiger",
            "version": "2.0.1"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.3,
            "vendor": "vtiger",
            "version": "2.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.3,
            "vendor": "vtiger",
            "version": "1.0"
          },
          {
            "model": "crm",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "5.2.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "5.0.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.9,
            "vendor": "vtiger",
            "version": "5.2.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.9,
            "vendor": "vtiger",
            "version": "5"
          },
          {
            "model": "crm",
            "scope": "lt",
            "trust": 0.8,
            "vendor": "vtiger",
            "version": "5.2.1"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "3.0.1"
          },
          {
            "model": "crm rc",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "5.1.0"
          },
          {
            "model": "crm validation",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "4.2"
          },
          {
            "model": "crm rc1",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "4"
          },
          {
            "model": "crm beta",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "4"
          },
          {
            "model": "crm beta",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "3.0"
          }
        ],
        "sources": [
          {
            "db": "BID",
            "id": "73791"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2010-003274"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201011-246"
          },
          {
            "db": "NVD",
            "id": "CVE-2010-3911"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "cpe_match": [
                  {
                    "cpe22Uri": "cpe:/a:vtiger:vtiger_crm",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2010-003274"
          }
        ]
      },
      "credits": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/credits#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Unknown",
        "sources": [
          {
            "db": "BID",
            "id": "73791"
          }
        ],
        "trust": 0.3
      },
      "cve": "CVE-2010-3911",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "MEDIUM",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 8.6,
                "id": "CVE-2010-3911",
                "impactScore": 2.9,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 1.8,
                "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
                "version": "2.0"
              },
              {
                "accessComplexity": "MEDIUM",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "VULHUB",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 8.6,
                "id": "VHN-46516",
                "impactScore": 2.9,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 0.1,
                "vectorString": "AV:N/AC:M/AU:N/C:N/I:P/A:N",
                "version": "2.0"
              }
            ],
            "cvssV3": [],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2010-3911",
                "trust": 1.0,
                "value": "MEDIUM"
              },
              {
                "author": "NVD",
                "id": "CVE-2010-3911",
                "trust": 0.8,
                "value": "Medium"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-201011-246",
                "trust": 0.6,
                "value": "MEDIUM"
              },
              {
                "author": "VULHUB",
                "id": "VHN-46516",
                "trust": 0.1,
                "value": "MEDIUM"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-46516"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2010-003274"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201011-246"
          },
          {
            "db": "NVD",
            "id": "CVE-2010-3911"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM before 5.2.1 allow remote attackers to inject arbitrary web script or HTML via (1) the username (aka default_user_name) field or (2) the password field in a Users Login action to index.php, or (3) the label parameter in a Settings GetFieldInfo action to index.php, related to modules/Settings/GetFieldInfo.php. vtiger CRM is prone to a cross-site scripting vulnerability. vtiger CRM is an open source web-based customer relationship management system. ----------------------------------------------------------------------\n\n\nSecure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta. \n\nJoin the beta: \nhttp://secunia.com/products/corporate/vim/\n\n\n----------------------------------------------------------------------\n\nTITLE:\nvtiger CRM Multiple Vulnerabilities\n\nSECUNIA ADVISORY ID:\nSA42246\n\nVERIFY ADVISORY:\nSecunia.com\nhttp://secunia.com/advisories/42246/\nCustomer Area (Credentials Required)\nhttps://ca.secunia.com/?page=viewadvisory\u0026vuln_id=42246\n\nRELEASE DATE:\n2010-11-19\n\nDISCUSS ADVISORY:\nhttp://secunia.com/advisories/42246/#comments\n\nAVAILABLE ON SITE AND IN CUSTOMER AREA:\n * Last Update\n * Popularity\n * Comments\n * Criticality Level\n * Impact\n * Where\n * Solution Status\n * Operating System / Software\n * CVE Reference(s)\n\nhttp://secunia.com/advisories/42246/\n\nONLY AVAILABLE IN CUSTOMER AREA:\n * Authentication Level\n * Report Reliability\n * Secunia PoC\n * Secunia Analysis\n * Systems Affected\n * Approve Distribution\n * Remediation Status\n * Secunia CVSS Score\n * CVSS\n\nhttps://ca.secunia.com/?page=viewadvisory\u0026vuln_id=42246\n\nONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:\n * AUTOMATED SCANNING\n\nhttp://secunia.com/vulnerability_scanning/personal/\nhttp://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/\n\nDESCRIPTION:\nSome vulnerabilities have been discovered in vtiger CRM, which can be\nexploited by malicious users to compromise a vulnerable system and by\nmalicious people to conduct cross-site scripting attacks and disclose\nsensitive information. \n\n1) An error exists in the file upload functionality due to the emails\nmodule not properly checking file names and extensions. This can be\nexploited to upload and execute arbitrary PHP code e.g. via \".phtml\"\nfiles. \n\n2) Input passed e.g. via the \"lang_crm\" parameter to phprint.php or\nthe \"current_language\" parameter to graph.php is not properly\nverified in the \"return_application_language()\" function in\ninclude/utils/utils.php before being used to include files. This can\nbe exploited to include arbitrary file from local resources via\ndirectory traversal sequences and URL-encoded NULL bytes. \n\nSuccessful exploitation of this vulnerability requires that\n\"magic_quotes_gpc\" is disabled. \n\n3) Input passed via the \"user_name\" and \"user_password\" parameters to\nindex.php is not properly sanitised before being returned to the user. \nThis can be exploited to execute arbitrary HTML and script code in a\nuser\u0027s browser session in context of an affected site. \n\n4) Input passed via the \"label\" parameter to index.php (when \"module\"\nis set to \"Settings\" and \"action\" is set to \"GetFieldInfo\") is not\nproperly sanitised before being returned to the user. This can be\nexploited to execute arbitrary HTML and script code in a user\u0027s\nbrowser session in context of an affected site. \n\nThe vulnerabilities are confirmed in version 5.2.0. Other versions\nmay also be affected. \n\nSOLUTION:\nUpdate to version 5.2.1. \n\nPROVIDED AND/OR DISCOVERED BY:\nGiovanni \"evilaliv3\" Pellerano and Alessandro \"jekil\" Tanasi\n\nORIGINAL ADVISORY:\nvtiger CRM:\nhttp://wiki.vtiger.com/index.php/Vtiger521:Release_Notes\n\nGiovanni Pellerano and Alessandro Tanasi:\nhttp://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt\n\nOTHER REFERENCES:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nDEEP LINKS:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nEXTENDED DESCRIPTION:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nEXTENDED SOLUTION:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nEXPLOIT:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\nprivate users keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/advisories/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/advisories/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2010-3911"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2010-003274"
          },
          {
            "db": "BID",
            "id": "73791"
          },
          {
            "db": "VULHUB",
            "id": "VHN-46516"
          },
          {
            "db": "PACKETSTORM",
            "id": "95988"
          }
        ],
        "trust": 2.07
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2010-3911",
            "trust": 2.9
          },
          {
            "db": "SECUNIA",
            "id": "42246",
            "trust": 1.8
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2010-003274",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201011-246",
            "trust": 0.7
          },
          {
            "db": "BUGTRAQ",
            "id": "20101116 VTIGER CRM 5.2.0 MULTIPLE VULNERABILITIES",
            "trust": 0.6
          },
          {
            "db": "BID",
            "id": "73791",
            "trust": 0.4
          },
          {
            "db": "VULHUB",
            "id": "VHN-46516",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "95988",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "95931",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-46516"
          },
          {
            "db": "BID",
            "id": "73791"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2010-003274"
          },
          {
            "db": "PACKETSTORM",
            "id": "95988"
          },
          {
            "db": "PACKETSTORM",
            "id": "95931"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201011-246"
          },
          {
            "db": "NVD",
            "id": "CVE-2010-3911"
          }
        ]
      },
      "id": "VAR-201011-0266",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-46516"
          }
        ],
        "trust": 0.62916664
      },
      "last_update_date": "2025-04-11T23:04:23.931000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Vtiger521:Release Notes",
            "trust": 0.8,
            "url": "http://wiki.vtiger.com/index.php/Vtiger521:Release_Notes"
          },
          {
            "title": "vtigercrm-510-521-patch",
            "trust": 0.6,
            "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=32061"
          },
          {
            "title": "vtigercrm-5.2.1",
            "trust": 0.6,
            "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=32060"
          },
          {
            "title": "vtigercrm-5.2.1",
            "trust": 0.6,
            "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=32059"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2010-003274"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201011-246"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-79",
            "trust": 1.9
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-46516"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2010-003274"
          },
          {
            "db": "NVD",
            "id": "CVE-2010-3911"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.2,
            "url": "http://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt"
          },
          {
            "trust": 2.1,
            "url": "http://wiki.vtiger.com/index.php/vtiger521:release_notes"
          },
          {
            "trust": 2.0,
            "url": "http://vtiger.com/blogs/2010/11/16/vtiger-crm-521-is-released/"
          },
          {
            "trust": 1.7,
            "url": "http://secunia.com/advisories/42246"
          },
          {
            "trust": 1.1,
            "url": "http://www.securityfocus.com/archive/1/514846/100/0/threaded"
          },
          {
            "trust": 0.9,
            "url": "http://www.securityfocus.com/archive/1/archive/1/514846/100/0/threaded"
          },
          {
            "trust": 0.8,
            "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-3911"
          },
          {
            "trust": 0.8,
            "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-3911"
          },
          {
            "trust": 0.1,
            "url": "http://secunia.com/products/corporate/evm/"
          },
          {
            "trust": 0.1,
            "url": "http://secunia.com/advisories/secunia_security_advisories/"
          },
          {
            "trust": 0.1,
            "url": "http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/"
          },
          {
            "trust": 0.1,
            "url": "http://secunia.com/advisories/42246/#comments"
          },
          {
            "trust": 0.1,
            "url": "http://secunia.com/advisories/42246/"
          },
          {
            "trust": 0.1,
            "url": "http://secunia.com/products/corporate/vim/"
          },
          {
            "trust": 0.1,
            "url": "http://secunia.com/vulnerability_scanning/personal/"
          },
          {
            "trust": 0.1,
            "url": "https://ca.secunia.com/?page=viewadvisory\u0026vuln_id=42246"
          },
          {
            "trust": 0.1,
            "url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
          },
          {
            "trust": 0.1,
            "url": "http://secunia.com/advisories/about_secunia_advisories/"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2010-3909"
          },
          {
            "trust": 0.1,
            "url": "http://www.tanasi.it/"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2010-3911"
          },
          {
            "trust": 0.1,
            "url": "http://www.vtigercrm.com"
          },
          {
            "trust": 0.1,
            "url": "http://127.0.0.1/vtigercrm/index.php?module=users\u0026action=login\u0026default_user_name"
          },
          {
            "trust": 0.1,
            "url": "http://127.0.0.1/vtigercrm/graph.php?current_language=/../[..]/../"
          },
          {
            "trust": 0.1,
            "url": "http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt"
          },
          {
            "trust": 0.1,
            "url": "http://www.ush.it/,"
          },
          {
            "trust": 0.1,
            "url": "http://www.evilaliv3.org/"
          },
          {
            "trust": 0.1,
            "url": "http://secunia.com/"
          },
          {
            "trust": 0.1,
            "url": "http://127.0.0.1/vtigercrm/phprint.php?lang_crm=/../[..]/../"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2010-3910"
          },
          {
            "trust": 0.1,
            "url": "http://127.0.0.1/vtigercrm/index.php?module=settings\u0026action=getfieldinfo\u0026label"
          },
          {
            "trust": 0.1,
            "url": "http://lists.grok.org.uk/full-disclosure-charter.html"
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-46516"
          },
          {
            "db": "BID",
            "id": "73791"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2010-003274"
          },
          {
            "db": "PACKETSTORM",
            "id": "95988"
          },
          {
            "db": "PACKETSTORM",
            "id": "95931"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201011-246"
          },
          {
            "db": "NVD",
            "id": "CVE-2010-3911"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULHUB",
            "id": "VHN-46516"
          },
          {
            "db": "BID",
            "id": "73791"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2010-003274"
          },
          {
            "db": "PACKETSTORM",
            "id": "95988"
          },
          {
            "db": "PACKETSTORM",
            "id": "95931"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201011-246"
          },
          {
            "db": "NVD",
            "id": "CVE-2010-3911"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2010-11-26T00:00:00",
            "db": "VULHUB",
            "id": "VHN-46516"
          },
          {
            "date": "2010-11-26T00:00:00",
            "db": "BID",
            "id": "73791"
          },
          {
            "date": "2012-03-27T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2010-003274"
          },
          {
            "date": "2010-11-19T06:21:45",
            "db": "PACKETSTORM",
            "id": "95988"
          },
          {
            "date": "2010-11-18T00:23:11",
            "db": "PACKETSTORM",
            "id": "95931"
          },
          {
            "date": "2010-11-30T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201011-246"
          },
          {
            "date": "2010-11-26T20:00:03.970000",
            "db": "NVD",
            "id": "CVE-2010-3911"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2018-10-30T00:00:00",
            "db": "VULHUB",
            "id": "VHN-46516"
          },
          {
            "date": "2010-11-26T00:00:00",
            "db": "BID",
            "id": "73791"
          },
          {
            "date": "2012-03-27T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2010-003274"
          },
          {
            "date": "2010-11-30T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201011-246"
          },
          {
            "date": "2025-04-11T00:51:21.963000",
            "db": "NVD",
            "id": "CVE-2010-3911"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-201011-246"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "vtiger CRM Vulnerable to cross-site scripting",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2010-003274"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "xss",
        "sources": [
          {
            "db": "PACKETSTORM",
            "id": "95988"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201011-246"
          }
        ],
        "trust": 0.7
      }
    }

    VAR-201011-0265

    Vulnerability from variot - Updated: 2025-04-11 23:04

    Multiple directory traversal vulnerabilities in the return_application_language function in include/utils/utils.php in vtiger CRM before 5.2.1 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the lang_crm parameter to phprint.php or (2) the current_language parameter in an Accounts Import action to graph.php. vtiger CRM of return_application_language The function contains a directory traversal vulnerability.By a third party, phprint.php To lang_crm Parameters, or fraph.php To Accouonts Import In operation current_language In the parameter .. ( Half-width period 2 One ) Via file inclusion and arbitrary local files could be executed. vtiger CRM is prone to a file-upload vulnerability. vtiger CRM is an open source web-based customer relationship management system. ----------------------------------------------------------------------

    Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta.

    Join the beta: http://secunia.com/products/corporate/vim/


    TITLE: vtiger CRM Multiple Vulnerabilities

    SECUNIA ADVISORY ID: SA42246

    VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/42246/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=42246

    RELEASE DATE: 2010-11-19

    DISCUSS ADVISORY: http://secunia.com/advisories/42246/#comments

    AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s)

    http://secunia.com/advisories/42246/

    ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS

    https://ca.secunia.com/?page=viewadvisory&vuln_id=42246

    ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING

    http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/

    DESCRIPTION: Some vulnerabilities have been discovered in vtiger CRM, which can be exploited by malicious users to compromise a vulnerable system and by malicious people to conduct cross-site scripting attacks and disclose sensitive information.

    1) An error exists in the file upload functionality due to the emails module not properly checking file names and extensions. This can be exploited to upload and execute arbitrary PHP code e.g. via ".phtml" files.

    2) Input passed e.g. via the "lang_crm" parameter to phprint.php or the "current_language" parameter to graph.php is not properly verified in the "return_application_language()" function in include/utils/utils.php before being used to include files.

    Successful exploitation of this vulnerability requires that "magic_quotes_gpc" is disabled.

    3) Input passed via the "user_name" and "user_password" parameters to index.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

    4) Input passed via the "label" parameter to index.php (when "module" is set to "Settings" and "action" is set to "GetFieldInfo") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

    The vulnerabilities are confirmed in version 5.2.0. Other versions may also be affected.

    SOLUTION: Update to version 5.2.1.

    PROVIDED AND/OR DISCOVERED BY: Giovanni "evilaliv3" Pellerano and Alessandro "jekil" Tanasi

    ORIGINAL ADVISORY: vtiger CRM: http://wiki.vtiger.com/index.php/Vtiger521:Release_Notes

    Giovanni Pellerano and Alessandro Tanasi: http://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt

    OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/

    DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/

    EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/

    EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/

    EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/


    About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities.

    Subscribe: http://secunia.com/advisories/secunia_security_advisories/

    Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/

    Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.


    Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org


    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-201011-0265",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.9,
            "vendor": "vtiger",
            "version": "5.0.4"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.9,
            "vendor": "vtiger",
            "version": "5.0.3"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.9,
            "vendor": "vtiger",
            "version": "5.1.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.9,
            "vendor": "vtiger",
            "version": "4.2"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.9,
            "vendor": "vtiger",
            "version": "4"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "vtiger",
            "version": "3.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.3,
            "vendor": "vtiger",
            "version": "5.0.2"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.3,
            "vendor": "vtiger",
            "version": "4.2.4"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.3,
            "vendor": "vtiger",
            "version": "4.0.1"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.3,
            "vendor": "vtiger",
            "version": "4.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.3,
            "vendor": "vtiger",
            "version": "3.2"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.3,
            "vendor": "vtiger",
            "version": "3"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.3,
            "vendor": "vtiger",
            "version": "2.1"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.3,
            "vendor": "vtiger",
            "version": "2.0.1"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.3,
            "vendor": "vtiger",
            "version": "2.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.3,
            "vendor": "vtiger",
            "version": "1.0"
          },
          {
            "model": "crm",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "5.2.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "5.0.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.9,
            "vendor": "vtiger",
            "version": "5.2.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.9,
            "vendor": "vtiger",
            "version": "5"
          },
          {
            "model": "crm",
            "scope": "lt",
            "trust": 0.8,
            "vendor": "vtiger",
            "version": "5.2.1"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "3.0.1"
          },
          {
            "model": "crm rc",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "5.1.0"
          },
          {
            "model": "crm rc",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "5.0.4"
          },
          {
            "model": "crm validation",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "4.2"
          },
          {
            "model": "crm rc1",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "4"
          },
          {
            "model": "crm beta",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "4"
          },
          {
            "model": "crm beta",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "3.0"
          }
        ],
        "sources": [
          {
            "db": "BID",
            "id": "78763"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2010-003273"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201011-247"
          },
          {
            "db": "NVD",
            "id": "CVE-2010-3910"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "cpe_match": [
                  {
                    "cpe22Uri": "cpe:/a:vtiger:vtiger_crm",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2010-003273"
          }
        ]
      },
      "credits": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/credits#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Unknown",
        "sources": [
          {
            "db": "BID",
            "id": "78763"
          }
        ],
        "trust": 0.3
      },
      "cve": "CVE-2010-3910",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "MEDIUM",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "PARTIAL",
                "baseScore": 6.8,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 8.6,
                "id": "CVE-2010-3910",
                "impactScore": 6.4,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 1.8,
                "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
                "version": "2.0"
              },
              {
                "accessComplexity": "MEDIUM",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "VULHUB",
                "availabilityImpact": "PARTIAL",
                "baseScore": 6.8,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 8.6,
                "id": "VHN-46515",
                "impactScore": 6.4,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 0.1,
                "vectorString": "AV:N/AC:M/AU:N/C:P/I:P/A:P",
                "version": "2.0"
              }
            ],
            "cvssV3": [],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2010-3910",
                "trust": 1.0,
                "value": "MEDIUM"
              },
              {
                "author": "NVD",
                "id": "CVE-2010-3910",
                "trust": 0.8,
                "value": "Medium"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-201011-247",
                "trust": 0.6,
                "value": "MEDIUM"
              },
              {
                "author": "VULHUB",
                "id": "VHN-46515",
                "trust": 0.1,
                "value": "MEDIUM"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-46515"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2010-003273"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201011-247"
          },
          {
            "db": "NVD",
            "id": "CVE-2010-3910"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Multiple directory traversal vulnerabilities in the return_application_language function in include/utils/utils.php in vtiger CRM before 5.2.1 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the lang_crm parameter to phprint.php or (2) the current_language parameter in an Accounts Import action to graph.php. vtiger CRM of return_application_language The function contains a directory traversal vulnerability.By a third party, phprint.php To lang_crm Parameters, or fraph.php To Accouonts Import In operation current_language In the parameter .. ( Half-width period 2 One ) Via file inclusion and arbitrary local files could be executed. vtiger CRM is prone to a file-upload vulnerability. vtiger CRM is an open source web-based customer relationship management system. ----------------------------------------------------------------------\n\n\nSecure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta. \n\nJoin the beta: \nhttp://secunia.com/products/corporate/vim/\n\n\n----------------------------------------------------------------------\n\nTITLE:\nvtiger CRM Multiple Vulnerabilities\n\nSECUNIA ADVISORY ID:\nSA42246\n\nVERIFY ADVISORY:\nSecunia.com\nhttp://secunia.com/advisories/42246/\nCustomer Area (Credentials Required)\nhttps://ca.secunia.com/?page=viewadvisory\u0026vuln_id=42246\n\nRELEASE DATE:\n2010-11-19\n\nDISCUSS ADVISORY:\nhttp://secunia.com/advisories/42246/#comments\n\nAVAILABLE ON SITE AND IN CUSTOMER AREA:\n * Last Update\n * Popularity\n * Comments\n * Criticality Level\n * Impact\n * Where\n * Solution Status\n * Operating System / Software\n * CVE Reference(s)\n\nhttp://secunia.com/advisories/42246/\n\nONLY AVAILABLE IN CUSTOMER AREA:\n * Authentication Level\n * Report Reliability\n * Secunia PoC\n * Secunia Analysis\n * Systems Affected\n * Approve Distribution\n * Remediation Status\n * Secunia CVSS Score\n * CVSS\n\nhttps://ca.secunia.com/?page=viewadvisory\u0026vuln_id=42246\n\nONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:\n * AUTOMATED SCANNING\n\nhttp://secunia.com/vulnerability_scanning/personal/\nhttp://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/\n\nDESCRIPTION:\nSome vulnerabilities have been discovered in vtiger CRM, which can be\nexploited by malicious users to compromise a vulnerable system and by\nmalicious people to conduct cross-site scripting attacks and disclose\nsensitive information. \n\n1) An error exists in the file upload functionality due to the emails\nmodule not properly checking file names and extensions. This can be\nexploited to upload and execute arbitrary PHP code e.g. via \".phtml\"\nfiles. \n\n2) Input passed e.g. via the \"lang_crm\" parameter to phprint.php or\nthe \"current_language\" parameter to graph.php is not properly\nverified in the \"return_application_language()\" function in\ninclude/utils/utils.php before being used to include files. \n\nSuccessful exploitation of this vulnerability requires that\n\"magic_quotes_gpc\" is disabled. \n\n3) Input passed via the \"user_name\" and \"user_password\" parameters to\nindex.php is not properly sanitised before being returned to the user. \nThis can be exploited to execute arbitrary HTML and script code in a\nuser\u0027s browser session in context of an affected site. \n\n4) Input passed via the \"label\" parameter to index.php (when \"module\"\nis set to \"Settings\" and \"action\" is set to \"GetFieldInfo\") is not\nproperly sanitised before being returned to the user. This can be\nexploited to execute arbitrary HTML and script code in a user\u0027s\nbrowser session in context of an affected site. \n\nThe vulnerabilities are confirmed in version 5.2.0. Other versions\nmay also be affected. \n\nSOLUTION:\nUpdate to version 5.2.1. \n\nPROVIDED AND/OR DISCOVERED BY:\nGiovanni \"evilaliv3\" Pellerano and Alessandro \"jekil\" Tanasi\n\nORIGINAL ADVISORY:\nvtiger CRM:\nhttp://wiki.vtiger.com/index.php/Vtiger521:Release_Notes\n\nGiovanni Pellerano and Alessandro Tanasi:\nhttp://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt\n\nOTHER REFERENCES:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nDEEP LINKS:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nEXTENDED DESCRIPTION:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nEXTENDED SOLUTION:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nEXPLOIT:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\nprivate users keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/advisories/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/advisories/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2010-3910"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2010-003273"
          },
          {
            "db": "BID",
            "id": "78763"
          },
          {
            "db": "VULHUB",
            "id": "VHN-46515"
          },
          {
            "db": "PACKETSTORM",
            "id": "95988"
          }
        ],
        "trust": 2.07
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2010-3910",
            "trust": 2.9
          },
          {
            "db": "SECUNIA",
            "id": "42246",
            "trust": 1.8
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2010-003273",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201011-247",
            "trust": 0.7
          },
          {
            "db": "BUGTRAQ",
            "id": "20101116 VTIGER CRM 5.2.0 MULTIPLE VULNERABILITIES",
            "trust": 0.6
          },
          {
            "db": "BID",
            "id": "78763",
            "trust": 0.4
          },
          {
            "db": "VULHUB",
            "id": "VHN-46515",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "95988",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "95931",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-46515"
          },
          {
            "db": "BID",
            "id": "78763"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2010-003273"
          },
          {
            "db": "PACKETSTORM",
            "id": "95988"
          },
          {
            "db": "PACKETSTORM",
            "id": "95931"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201011-247"
          },
          {
            "db": "NVD",
            "id": "CVE-2010-3910"
          }
        ]
      },
      "id": "VAR-201011-0265",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-46515"
          }
        ],
        "trust": 0.62916664
      },
      "last_update_date": "2025-04-11T23:04:23.889000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Vtiger521:Release Notes",
            "trust": 0.8,
            "url": "http://wiki.vtiger.com/index.php/Vtiger521:Release_Notes"
          },
          {
            "title": "vtigercrm-510-521-patch",
            "trust": 0.6,
            "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=32061"
          },
          {
            "title": "vtigercrm-5.2.1",
            "trust": 0.6,
            "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=32060"
          },
          {
            "title": "vtigercrm-5.2.1",
            "trust": 0.6,
            "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=32059"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2010-003273"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201011-247"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-22",
            "trust": 1.9
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-46515"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2010-003273"
          },
          {
            "db": "NVD",
            "id": "CVE-2010-3910"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.2,
            "url": "http://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt"
          },
          {
            "trust": 2.1,
            "url": "http://wiki.vtiger.com/index.php/vtiger521:release_notes"
          },
          {
            "trust": 2.0,
            "url": "http://vtiger.com/blogs/2010/11/16/vtiger-crm-521-is-released/"
          },
          {
            "trust": 1.7,
            "url": "http://secunia.com/advisories/42246"
          },
          {
            "trust": 1.1,
            "url": "http://www.securityfocus.com/archive/1/514846/100/0/threaded"
          },
          {
            "trust": 0.9,
            "url": "http://www.securityfocus.com/archive/1/archive/1/514846/100/0/threaded"
          },
          {
            "trust": 0.8,
            "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-3910"
          },
          {
            "trust": 0.8,
            "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-3910"
          },
          {
            "trust": 0.1,
            "url": "http://secunia.com/products/corporate/evm/"
          },
          {
            "trust": 0.1,
            "url": "http://secunia.com/advisories/secunia_security_advisories/"
          },
          {
            "trust": 0.1,
            "url": "http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/"
          },
          {
            "trust": 0.1,
            "url": "http://secunia.com/advisories/42246/#comments"
          },
          {
            "trust": 0.1,
            "url": "http://secunia.com/advisories/42246/"
          },
          {
            "trust": 0.1,
            "url": "http://secunia.com/products/corporate/vim/"
          },
          {
            "trust": 0.1,
            "url": "http://secunia.com/vulnerability_scanning/personal/"
          },
          {
            "trust": 0.1,
            "url": "https://ca.secunia.com/?page=viewadvisory\u0026vuln_id=42246"
          },
          {
            "trust": 0.1,
            "url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
          },
          {
            "trust": 0.1,
            "url": "http://secunia.com/advisories/about_secunia_advisories/"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2010-3909"
          },
          {
            "trust": 0.1,
            "url": "http://www.tanasi.it/"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2010-3911"
          },
          {
            "trust": 0.1,
            "url": "http://www.vtigercrm.com"
          },
          {
            "trust": 0.1,
            "url": "http://127.0.0.1/vtigercrm/index.php?module=users\u0026action=login\u0026default_user_name"
          },
          {
            "trust": 0.1,
            "url": "http://127.0.0.1/vtigercrm/graph.php?current_language=/../[..]/../"
          },
          {
            "trust": 0.1,
            "url": "http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt"
          },
          {
            "trust": 0.1,
            "url": "http://www.ush.it/,"
          },
          {
            "trust": 0.1,
            "url": "http://www.evilaliv3.org/"
          },
          {
            "trust": 0.1,
            "url": "http://secunia.com/"
          },
          {
            "trust": 0.1,
            "url": "http://127.0.0.1/vtigercrm/phprint.php?lang_crm=/../[..]/../"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2010-3910"
          },
          {
            "trust": 0.1,
            "url": "http://127.0.0.1/vtigercrm/index.php?module=settings\u0026action=getfieldinfo\u0026label"
          },
          {
            "trust": 0.1,
            "url": "http://lists.grok.org.uk/full-disclosure-charter.html"
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-46515"
          },
          {
            "db": "BID",
            "id": "78763"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2010-003273"
          },
          {
            "db": "PACKETSTORM",
            "id": "95988"
          },
          {
            "db": "PACKETSTORM",
            "id": "95931"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201011-247"
          },
          {
            "db": "NVD",
            "id": "CVE-2010-3910"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULHUB",
            "id": "VHN-46515"
          },
          {
            "db": "BID",
            "id": "78763"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2010-003273"
          },
          {
            "db": "PACKETSTORM",
            "id": "95988"
          },
          {
            "db": "PACKETSTORM",
            "id": "95931"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201011-247"
          },
          {
            "db": "NVD",
            "id": "CVE-2010-3910"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2010-11-26T00:00:00",
            "db": "VULHUB",
            "id": "VHN-46515"
          },
          {
            "date": "2010-11-26T00:00:00",
            "db": "BID",
            "id": "78763"
          },
          {
            "date": "2012-03-27T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2010-003273"
          },
          {
            "date": "2010-11-19T06:21:45",
            "db": "PACKETSTORM",
            "id": "95988"
          },
          {
            "date": "2010-11-18T00:23:11",
            "db": "PACKETSTORM",
            "id": "95931"
          },
          {
            "date": "2010-11-30T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201011-247"
          },
          {
            "date": "2010-11-26T20:00:03.940000",
            "db": "NVD",
            "id": "CVE-2010-3910"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2018-10-30T00:00:00",
            "db": "VULHUB",
            "id": "VHN-46515"
          },
          {
            "date": "2010-11-26T00:00:00",
            "db": "BID",
            "id": "78763"
          },
          {
            "date": "2012-03-27T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2010-003273"
          },
          {
            "date": "2010-11-30T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201011-247"
          },
          {
            "date": "2025-04-11T00:51:21.963000",
            "db": "NVD",
            "id": "CVE-2010-3910"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-201011-247"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "vtiger CRM of  return_application_language Function vulnerable to directory traversal",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2010-003273"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "path traversal",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-201011-247"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-201112-0340

    Vulnerability from variot - Updated: 2025-04-11 23:04

    Multiple cross-site scripting (XSS) vulnerabilities in the customer portal in vtiger CRM before 5.2.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vtiger CRM is a Web-based Sales Capability Automation (SFA)-based Customer Relationship Management System (CRM). Attackers can build malicious web pages, entice users to parse, get sensitive information, or hijack user sessions. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Versions prior to vtiger CRM 5.2.0 are vulnerable. The management system provides functions such as management, collection, and analysis of customer information

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-201112-0340",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "crm",
            "scope": "eq",
            "trust": 2.5,
            "vendor": "vtiger",
            "version": "4.2"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 2.5,
            "vendor": "vtiger",
            "version": "4.2.4"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 2.5,
            "vendor": "vtiger",
            "version": "5.0.3"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 2.5,
            "vendor": "vtiger",
            "version": "5.0.4"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "vtiger",
            "version": "5.2.1"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "vtiger",
            "version": "5.1.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "vtiger",
            "version": "5.0.2"
          },
          {
            "model": "crm",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "5.1.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "3"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "2.0.1"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "2.1"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "4.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "4.0.1"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "4"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "3.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "2.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "1.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "5.0.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "3.2"
          },
          {
            "model": "crm rc",
            "scope": "eq",
            "trust": 0.9,
            "vendor": "vtiger",
            "version": "5.0.4"
          },
          {
            "model": "rc",
            "scope": "eq",
            "trust": 0.9,
            "vendor": "vtiger",
            "version": "5.0.4"
          },
          {
            "model": null,
            "scope": "eq",
            "trust": 0.8,
            "vendor": "vtiger crm",
            "version": "4"
          },
          {
            "model": "crm",
            "scope": "lt",
            "trust": 0.8,
            "vendor": "vtiger",
            "version": "5.2.0"
          },
          {
            "model": null,
            "scope": "eq",
            "trust": 0.6,
            "vendor": "vtiger crm",
            "version": "4.2"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.6,
            "vendor": "vtiger",
            "version": "5"
          },
          {
            "model": null,
            "scope": "eq",
            "trust": 0.4,
            "vendor": "vtiger crm",
            "version": "3.0"
          },
          {
            "model": null,
            "scope": "eq",
            "trust": 0.4,
            "vendor": "vtiger crm",
            "version": "5.0.4"
          },
          {
            "model": "crm",
            "scope": "ne",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "5.3"
          },
          {
            "model": "crm",
            "scope": "ne",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "5.2.1"
          },
          {
            "model": "crm",
            "scope": "ne",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "5.2"
          },
          {
            "model": null,
            "scope": "eq",
            "trust": 0.2,
            "vendor": "vtiger crm",
            "version": "1.0"
          },
          {
            "model": null,
            "scope": "eq",
            "trust": 0.2,
            "vendor": "vtiger crm",
            "version": "2.0"
          },
          {
            "model": null,
            "scope": "eq",
            "trust": 0.2,
            "vendor": "vtiger crm",
            "version": "2.0.1"
          },
          {
            "model": null,
            "scope": "eq",
            "trust": 0.2,
            "vendor": "vtiger crm",
            "version": "2.1"
          },
          {
            "model": null,
            "scope": "eq",
            "trust": 0.2,
            "vendor": "vtiger crm",
            "version": "3"
          },
          {
            "model": null,
            "scope": "eq",
            "trust": 0.2,
            "vendor": "vtiger crm",
            "version": "3.2"
          },
          {
            "model": null,
            "scope": "eq",
            "trust": 0.2,
            "vendor": "vtiger crm",
            "version": "4.0"
          },
          {
            "model": null,
            "scope": "eq",
            "trust": 0.2,
            "vendor": "vtiger crm",
            "version": "4.0.1"
          },
          {
            "model": null,
            "scope": "eq",
            "trust": 0.2,
            "vendor": "vtiger crm",
            "version": "4.2.4"
          },
          {
            "model": null,
            "scope": "eq",
            "trust": 0.2,
            "vendor": "vtiger crm",
            "version": "5.0.0"
          },
          {
            "model": null,
            "scope": "eq",
            "trust": 0.2,
            "vendor": "vtiger crm",
            "version": "5.0.2"
          },
          {
            "model": null,
            "scope": "eq",
            "trust": 0.2,
            "vendor": "vtiger crm",
            "version": "5.0.3"
          },
          {
            "model": null,
            "scope": "eq",
            "trust": 0.2,
            "vendor": "vtiger crm",
            "version": "*"
          },
          {
            "model": null,
            "scope": "eq",
            "trust": 0.2,
            "vendor": "vtiger crm",
            "version": "5.1.0"
          },
          {
            "model": null,
            "scope": "eq",
            "trust": 0.2,
            "vendor": "vtiger crm",
            "version": "5.2.1"
          }
        ],
        "sources": [
          {
            "db": "IVD",
            "id": "57d70116-2354-11e6-abef-000c29c66e3d"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2011-5252"
          },
          {
            "db": "BID",
            "id": "51023"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003300"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201112-081"
          },
          {
            "db": "NVD",
            "id": "CVE-2011-4680"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "cpe_match": [
                  {
                    "cpe22Uri": "cpe:/a:vtiger:vtiger_crm",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003300"
          }
        ]
      },
      "credits": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/credits#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Unknown",
        "sources": [
          {
            "db": "BID",
            "id": "51023"
          }
        ],
        "trust": 0.3
      },
      "cve": "CVE-2011-4680",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "MEDIUM",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 8.6,
                "id": "CVE-2011-4680",
                "impactScore": 2.9,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 1.8,
                "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
                "version": "2.0"
              },
              {
                "accessComplexity": "MEDIUM",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "IVD",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 8.6,
                "id": "57d70116-2354-11e6-abef-000c29c66e3d",
                "impactScore": 2.9,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 0.2,
                "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
                "version": "2.9 [IVD]"
              },
              {
                "accessComplexity": "MEDIUM",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "VULHUB",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 8.6,
                "id": "VHN-52625",
                "impactScore": 2.9,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 0.1,
                "vectorString": "AV:N/AC:M/AU:N/C:N/I:P/A:N",
                "version": "2.0"
              }
            ],
            "cvssV3": [],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2011-4680",
                "trust": 1.0,
                "value": "MEDIUM"
              },
              {
                "author": "NVD",
                "id": "CVE-2011-4680",
                "trust": 0.8,
                "value": "Medium"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-201112-081",
                "trust": 0.6,
                "value": "MEDIUM"
              },
              {
                "author": "IVD",
                "id": "57d70116-2354-11e6-abef-000c29c66e3d",
                "trust": 0.2,
                "value": "MEDIUM"
              },
              {
                "author": "VULHUB",
                "id": "VHN-52625",
                "trust": 0.1,
                "value": "MEDIUM"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "IVD",
            "id": "57d70116-2354-11e6-abef-000c29c66e3d"
          },
          {
            "db": "VULHUB",
            "id": "VHN-52625"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003300"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201112-081"
          },
          {
            "db": "NVD",
            "id": "CVE-2011-4680"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Multiple cross-site scripting (XSS) vulnerabilities in the customer portal in vtiger CRM before 5.2.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vtiger CRM is a Web-based Sales Capability Automation (SFA)-based Customer Relationship Management System (CRM). Attackers can build malicious web pages, entice users to parse, get sensitive information, or hijack user sessions. \nAn attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. \nVersions prior to vtiger CRM 5.2.0 are vulnerable. The management system provides functions such as management, collection, and analysis of customer information",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2011-4680"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003300"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2011-5252"
          },
          {
            "db": "BID",
            "id": "51023"
          },
          {
            "db": "IVD",
            "id": "57d70116-2354-11e6-abef-000c29c66e3d"
          },
          {
            "db": "VULHUB",
            "id": "VHN-52625"
          }
        ],
        "trust": 2.7
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2011-4680",
            "trust": 3.6
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201112-081",
            "trust": 0.9
          },
          {
            "db": "CNVD",
            "id": "CNVD-2011-5252",
            "trust": 0.8
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003300",
            "trust": 0.8
          },
          {
            "db": "BID",
            "id": "51023",
            "trust": 0.4
          },
          {
            "db": "IVD",
            "id": "57D70116-2354-11E6-ABEF-000C29C66E3D",
            "trust": 0.2
          },
          {
            "db": "VULHUB",
            "id": "VHN-52625",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "IVD",
            "id": "57d70116-2354-11e6-abef-000c29c66e3d"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2011-5252"
          },
          {
            "db": "VULHUB",
            "id": "VHN-52625"
          },
          {
            "db": "BID",
            "id": "51023"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003300"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201112-081"
          },
          {
            "db": "NVD",
            "id": "CVE-2011-4680"
          }
        ]
      },
      "id": "VAR-201112-0340",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "IVD",
            "id": "57d70116-2354-11e6-abef-000c29c66e3d"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2011-5252"
          },
          {
            "db": "VULHUB",
            "id": "VHN-52625"
          }
        ],
        "trust": 1.5395833200000002
      },
      "iot_taxonomy": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "category": [
              "ICS"
            ],
            "sub_category": null,
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "IVD",
            "id": "57d70116-2354-11e6-abef-000c29c66e3d"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2011-5252"
          }
        ]
      },
      "last_update_date": "2025-04-11T23:04:15.576000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Jan2011:ODUpdate",
            "trust": 0.8,
            "url": "http://wiki.vtiger.com/index.php/Jan2011:ODUpdate"
          },
          {
            "title": "Patch for vtiger CRM Cross-Site Scripting Vulnerability (CNVD-2011-5252)",
            "trust": 0.6,
            "url": "https://www.cnvd.org.cn/patchInfo/show/6258"
          },
          {
            "title": "vtigercrm-521-530-patch",
            "trust": 0.6,
            "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=41995"
          },
          {
            "title": "vtigercrm-5.3.0",
            "trust": 0.6,
            "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=41994"
          },
          {
            "title": "vtigercrm-5.3.0",
            "trust": 0.6,
            "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=41993"
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2011-5252"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003300"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201112-081"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-79",
            "trust": 1.9
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-52625"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003300"
          },
          {
            "db": "NVD",
            "id": "CVE-2011-4680"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.0,
            "url": "http://wiki.vtiger.com/index.php/jan2011:odupdate"
          },
          {
            "trust": 0.8,
            "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-4680"
          },
          {
            "trust": 0.8,
            "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-4680"
          },
          {
            "trust": 0.6,
            "url": "http://wiki.vtiger.com/index.php/jan2011"
          },
          {
            "trust": 0.3,
            "url": "www.vtiger.de"
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2011-5252"
          },
          {
            "db": "VULHUB",
            "id": "VHN-52625"
          },
          {
            "db": "BID",
            "id": "51023"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003300"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201112-081"
          },
          {
            "db": "NVD",
            "id": "CVE-2011-4680"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "IVD",
            "id": "57d70116-2354-11e6-abef-000c29c66e3d"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2011-5252"
          },
          {
            "db": "VULHUB",
            "id": "VHN-52625"
          },
          {
            "db": "BID",
            "id": "51023"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003300"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201112-081"
          },
          {
            "db": "NVD",
            "id": "CVE-2011-4680"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2011-12-14T00:00:00",
            "db": "IVD",
            "id": "57d70116-2354-11e6-abef-000c29c66e3d"
          },
          {
            "date": "2011-12-14T00:00:00",
            "db": "CNVD",
            "id": "CNVD-2011-5252"
          },
          {
            "date": "2011-12-07T00:00:00",
            "db": "VULHUB",
            "id": "VHN-52625"
          },
          {
            "date": "2011-12-12T00:00:00",
            "db": "BID",
            "id": "51023"
          },
          {
            "date": "2011-12-12T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2011-003300"
          },
          {
            "date": "2011-12-08T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201112-081"
          },
          {
            "date": "2011-12-07T19:55:02.470000",
            "db": "NVD",
            "id": "CVE-2011-4680"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2011-12-14T00:00:00",
            "db": "CNVD",
            "id": "CNVD-2011-5252"
          },
          {
            "date": "2018-10-30T00:00:00",
            "db": "VULHUB",
            "id": "VHN-52625"
          },
          {
            "date": "2011-12-12T00:00:00",
            "db": "BID",
            "id": "51023"
          },
          {
            "date": "2011-12-12T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2011-003300"
          },
          {
            "date": "2011-12-08T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201112-081"
          },
          {
            "date": "2025-04-11T00:51:21.963000",
            "db": "NVD",
            "id": "CVE-2011-4680"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-201112-081"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "vtiger CRM Vulnerable to cross-site scripting",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003300"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "XSS",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-201112-081"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-201112-0325

    Vulnerability from variot - Updated: 2025-04-11 23:02

    Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 5.2.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) viewname parameter in a CalendarAjax action, (2) activity_mode parameter in a DetailView action, (3) contact_id and (4) parent_id parameters in an EditView action, (5) day, (6) month, (7) subtab, (8) view, and (9) viewOption parameters in the index action, and (10) start parameter in the ListView action to the Calendar module; (11) return_action and (12) return_module parameters in the EditView action, and (13) query parameter in an index action to the Campaigns module; (14) return_url and (15) workflow_id parameters in an editworkflow action to the com_vtiger_workflow module; (16) display_view parameter in an index action to the Dashboard module; (17) closingdate_end, (18) closingdate_start, (19) date_closed, (20) owner, (21) leadsource, (22) sales_stage, and (23) type parameters in a ListView action to the Potentials module; (24) folderid parameter in a SaveandRun action to the Reports module; (25) returnaction and (26) groupId parameters in a createnewgroup action, (27) mode and (28) parent parameters in a createrole action, (29) src_module in a ModuleManager action, (30) mode and (31) profile_id parameters in a profilePrivileges action, and (32) roleid parameter in a RoleDetailView to the Settings module; and (33) action parameter to the Home module and (34) module parameter to phprint.php. vTiger CRM Contains a cross-site scripting vulnerability.By a third party, through the following parameters, Web Script or HTML May be inserted. Vtiger CRM is a Web-based Sales Capability Automation (SFA)-based Customer Relationship Management System (CRM). Multiple cross-site scripting vulnerabilities existed in vTiger CRM 5.2.1 and earlier. The vulnerability stems from the fact that the data provided to the user has not been properly checked. A remote attacker could exploit the vulnerability to execute arbitrary script code in an unknown user's browser in the context of the affected site, stealing a cookie-based authentication certificate and initiating other attacks, or injecting arbitrary web scripts or HTML through multiple parameters, such as: viewname And the activity_mode parameter. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. vtiger CRM 5.2.1 is vulnerable; other versions may also be affected. The management system provides functions such as management, collection, and analysis of customer information

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-201112-0325",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "crm",
            "scope": "lte",
            "trust": 1.8,
            "vendor": "vtiger",
            "version": "5.2.1"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.5,
            "vendor": "vtiger",
            "version": "5.2.1"
          },
          {
            "model": null,
            "scope": "eq",
            "trust": 0.4,
            "vendor": "vtiger crm",
            "version": "*"
          }
        ],
        "sources": [
          {
            "db": "IVD",
            "id": "5a5bacb6-2354-11e6-abef-000c29c66e3d"
          },
          {
            "db": "IVD",
            "id": "7d7e8b80-463f-11e9-be72-000c29342cb1"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2011-5742"
          },
          {
            "db": "BID",
            "id": "49927"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003188"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201112-013"
          },
          {
            "db": "NVD",
            "id": "CVE-2011-4670"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "cpe_match": [
                  {
                    "cpe22Uri": "cpe:/a:vtiger:vtiger_crm",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003188"
          }
        ]
      },
      "credits": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/credits#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Aung Khant",
        "sources": [
          {
            "db": "BID",
            "id": "49927"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201110-359"
          }
        ],
        "trust": 0.9
      },
      "cve": "CVE-2011-4670",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "MEDIUM",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 8.6,
                "id": "CVE-2011-4670",
                "impactScore": 2.9,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 1.8,
                "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
                "version": "2.0"
              },
              {
                "accessComplexity": "MEDIUM",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "CNVD",
                "availabilityImpact": "PARTIAL",
                "baseScore": 6.8,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 8.6,
                "id": "CNVD-2011-5742",
                "impactScore": 6.4,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 0.6,
                "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
                "version": "2.0"
              },
              {
                "accessComplexity": "MEDIUM",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "IVD",
                "availabilityImpact": "PARTIAL",
                "baseScore": 6.8,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 8.6,
                "id": "5a5bacb6-2354-11e6-abef-000c29c66e3d",
                "impactScore": 6.4,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 0.2,
                "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
                "version": "2.9 [IVD]"
              },
              {
                "accessComplexity": "MEDIUM",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "IVD",
                "availabilityImpact": "PARTIAL",
                "baseScore": 6.8,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 8.6,
                "id": "7d7e8b80-463f-11e9-be72-000c29342cb1",
                "impactScore": 6.4,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 0.2,
                "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
                "version": "2.9 [IVD]"
              },
              {
                "accessComplexity": "MEDIUM",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "VULHUB",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 8.6,
                "id": "VHN-52615",
                "impactScore": 2.9,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 0.1,
                "vectorString": "AV:N/AC:M/AU:N/C:N/I:P/A:N",
                "version": "2.0"
              }
            ],
            "cvssV3": [],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2011-4670",
                "trust": 1.0,
                "value": "MEDIUM"
              },
              {
                "author": "NVD",
                "id": "CVE-2011-4670",
                "trust": 0.8,
                "value": "Medium"
              },
              {
                "author": "CNVD",
                "id": "CNVD-2011-5742",
                "trust": 0.6,
                "value": "MEDIUM"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-201112-013",
                "trust": 0.6,
                "value": "MEDIUM"
              },
              {
                "author": "IVD",
                "id": "5a5bacb6-2354-11e6-abef-000c29c66e3d",
                "trust": 0.2,
                "value": "MEDIUM"
              },
              {
                "author": "IVD",
                "id": "7d7e8b80-463f-11e9-be72-000c29342cb1",
                "trust": 0.2,
                "value": "MEDIUM"
              },
              {
                "author": "VULHUB",
                "id": "VHN-52615",
                "trust": 0.1,
                "value": "MEDIUM"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "IVD",
            "id": "5a5bacb6-2354-11e6-abef-000c29c66e3d"
          },
          {
            "db": "IVD",
            "id": "7d7e8b80-463f-11e9-be72-000c29342cb1"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2011-5742"
          },
          {
            "db": "VULHUB",
            "id": "VHN-52615"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003188"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201112-013"
          },
          {
            "db": "NVD",
            "id": "CVE-2011-4670"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 5.2.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) viewname parameter in a CalendarAjax action, (2) activity_mode parameter in a DetailView action, (3) contact_id and (4) parent_id parameters in an EditView action, (5) day, (6) month, (7) subtab, (8) view, and (9) viewOption parameters in the index action, and (10) start parameter in the ListView action to the Calendar module; (11) return_action and (12) return_module parameters in the EditView action, and (13) query parameter in an index action to the Campaigns module; (14) return_url and (15) workflow_id parameters in an editworkflow action to the com_vtiger_workflow module; (16) display_view parameter in an index action to the Dashboard module; (17) closingdate_end, (18) closingdate_start, (19) date_closed, (20) owner, (21) leadsource, (22) sales_stage, and (23) type parameters in a ListView action to the Potentials module; (24) folderid parameter in a SaveandRun action to the Reports module; (25) returnaction and (26) groupId parameters in a createnewgroup action, (27) mode and (28) parent parameters in a createrole action, (29) src_module in a ModuleManager action, (30) mode and (31) profile_id parameters in a profilePrivileges action, and (32) roleid parameter in a RoleDetailView to the Settings module; and (33) action parameter to the Home module and (34) module parameter to phprint.php. vTiger CRM Contains a cross-site scripting vulnerability.By a third party, through the following parameters, Web Script or HTML May be inserted. Vtiger CRM is a Web-based Sales Capability Automation (SFA)-based Customer Relationship Management System (CRM). Multiple cross-site scripting vulnerabilities existed in vTiger CRM 5.2.1 and earlier. The vulnerability stems from the fact that the data provided to the user has not been properly checked. A remote attacker could exploit the vulnerability to execute arbitrary script code in an unknown user\u0027s browser in the context of the affected site, stealing a cookie-based authentication certificate and initiating other attacks, or injecting arbitrary web scripts or HTML through multiple parameters, such as: viewname And the activity_mode parameter. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. \nvtiger CRM 5.2.1 is vulnerable; other versions may also be affected. The management system provides functions such as management, collection, and analysis of customer information",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2011-4670"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003188"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2011-5742"
          },
          {
            "db": "BID",
            "id": "49927"
          },
          {
            "db": "IVD",
            "id": "5a5bacb6-2354-11e6-abef-000c29c66e3d"
          },
          {
            "db": "IVD",
            "id": "7d7e8b80-463f-11e9-be72-000c29342cb1"
          },
          {
            "db": "VULHUB",
            "id": "VHN-52615"
          }
        ],
        "trust": 2.88
      },
      "exploit_availability": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "reference": "https://www.scap.org.cn/vuln/vhn-52615",
            "trust": 0.1,
            "type": "unknown"
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-52615"
          }
        ]
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2011-4670",
            "trust": 3.8
          },
          {
            "db": "BID",
            "id": "49927",
            "trust": 3.2
          },
          {
            "db": "OSVDB",
            "id": "76006",
            "trust": 1.7
          },
          {
            "db": "OSVDB",
            "id": "76005",
            "trust": 1.7
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201112-013",
            "trust": 1.1
          },
          {
            "db": "EXPLOIT-DB",
            "id": "36203",
            "trust": 1.1
          },
          {
            "db": "EXPLOIT-DB",
            "id": "36204",
            "trust": 1.1
          },
          {
            "db": "CNVD",
            "id": "CNVD-2011-5742",
            "trust": 1.0
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003188",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201110-359",
            "trust": 0.6
          },
          {
            "db": "BUGTRAQ",
            "id": "20111004 VTIGER CRM 5.2.X \u003c= MULTIPLE CROSS SITE SCRIPTING VULNERABILITIES",
            "trust": 0.6
          },
          {
            "db": "XF",
            "id": "70306",
            "trust": 0.6
          },
          {
            "db": "FULLDISC",
            "id": "20111004 VTIGER CRM 5.2.X \u003c= MULTIPLE CROSS SITE SCRIPTING VULNERABILITIES",
            "trust": 0.6
          },
          {
            "db": "IVD",
            "id": "5A5BACB6-2354-11E6-ABEF-000C29C66E3D",
            "trust": 0.2
          },
          {
            "db": "IVD",
            "id": "7D7E8B80-463F-11E9-BE72-000C29342CB1",
            "trust": 0.2
          },
          {
            "db": "VULHUB",
            "id": "VHN-52615",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "IVD",
            "id": "5a5bacb6-2354-11e6-abef-000c29c66e3d"
          },
          {
            "db": "IVD",
            "id": "7d7e8b80-463f-11e9-be72-000c29342cb1"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2011-5742"
          },
          {
            "db": "VULHUB",
            "id": "VHN-52615"
          },
          {
            "db": "BID",
            "id": "49927"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003188"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201110-359"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201112-013"
          },
          {
            "db": "NVD",
            "id": "CVE-2011-4670"
          }
        ]
      },
      "id": "VAR-201112-0325",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "IVD",
            "id": "5a5bacb6-2354-11e6-abef-000c29c66e3d"
          },
          {
            "db": "IVD",
            "id": "7d7e8b80-463f-11e9-be72-000c29342cb1"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2011-5742"
          },
          {
            "db": "VULHUB",
            "id": "VHN-52615"
          }
        ],
        "trust": 1.6291666400000002
      },
      "iot_taxonomy": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "category": [
              "ICS"
            ],
            "sub_category": null,
            "trust": 1.0
          }
        ],
        "sources": [
          {
            "db": "IVD",
            "id": "5a5bacb6-2354-11e6-abef-000c29c66e3d"
          },
          {
            "db": "IVD",
            "id": "7d7e8b80-463f-11e9-be72-000c29342cb1"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2011-5742"
          }
        ]
      },
      "last_update_date": "2025-04-11T23:02:03.534000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "vtigerCRM.jp",
            "trust": 0.8,
            "url": "http://www.vtigercrm.jp/home"
          },
          {
            "title": "Top Page",
            "trust": 0.8,
            "url": "http://www.vtiger.com/"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003188"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-79",
            "trust": 1.9
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-52615"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003188"
          },
          {
            "db": "NVD",
            "id": "CVE-2011-4670"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.9,
            "url": "http://www.securityfocus.com/bid/49927"
          },
          {
            "trust": 2.0,
            "url": "http://seclists.org/fulldisclosure/2011/oct/154"
          },
          {
            "trust": 1.7,
            "url": "http://yehg.net/lab/pr0js/advisories/%5bvtiger_5.2.1%5d_xss"
          },
          {
            "trust": 1.7,
            "url": "http://osvdb.org/76005"
          },
          {
            "trust": 1.7,
            "url": "http://osvdb.org/76006"
          },
          {
            "trust": 1.1,
            "url": "http://www.securityfocus.com/archive/1/519993/100/0/threaded"
          },
          {
            "trust": 1.1,
            "url": "https://www.exploit-db.com/exploits/36203/"
          },
          {
            "trust": 1.1,
            "url": "https://www.exploit-db.com/exploits/36204/"
          },
          {
            "trust": 1.1,
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/70306"
          },
          {
            "trust": 0.8,
            "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-4670"
          },
          {
            "trust": 0.8,
            "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-4670"
          },
          {
            "trust": 0.6,
            "url": "http://xforce.iss.net/xforce/xfdb/70306"
          },
          {
            "trust": 0.6,
            "url": "http://www.securityfocus.com/archive/1/archive/1/519993/100/0/threaded"
          },
          {
            "trust": 0.3,
            "url": "www.vtiger.de"
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2011-5742"
          },
          {
            "db": "VULHUB",
            "id": "VHN-52615"
          },
          {
            "db": "BID",
            "id": "49927"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003188"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201110-359"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201112-013"
          },
          {
            "db": "NVD",
            "id": "CVE-2011-4670"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "IVD",
            "id": "5a5bacb6-2354-11e6-abef-000c29c66e3d"
          },
          {
            "db": "IVD",
            "id": "7d7e8b80-463f-11e9-be72-000c29342cb1"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2011-5742"
          },
          {
            "db": "VULHUB",
            "id": "VHN-52615"
          },
          {
            "db": "BID",
            "id": "49927"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003188"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201110-359"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201112-013"
          },
          {
            "db": "NVD",
            "id": "CVE-2011-4670"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2011-12-05T00:00:00",
            "db": "IVD",
            "id": "5a5bacb6-2354-11e6-abef-000c29c66e3d"
          },
          {
            "date": "2011-12-05T00:00:00",
            "db": "IVD",
            "id": "7d7e8b80-463f-11e9-be72-000c29342cb1"
          },
          {
            "date": "2011-12-05T00:00:00",
            "db": "CNVD",
            "id": "CNVD-2011-5742"
          },
          {
            "date": "2011-12-02T00:00:00",
            "db": "VULHUB",
            "id": "VHN-52615"
          },
          {
            "date": "2011-10-04T00:00:00",
            "db": "BID",
            "id": "49927"
          },
          {
            "date": "2011-12-05T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2011-003188"
          },
          {
            "date": "1900-01-01T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201110-359"
          },
          {
            "date": "2011-12-05T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201112-013"
          },
          {
            "date": "2011-12-02T16:55:02.420000",
            "db": "NVD",
            "id": "CVE-2011-4670"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2011-12-05T00:00:00",
            "db": "CNVD",
            "id": "CNVD-2011-5742"
          },
          {
            "date": "2018-10-09T00:00:00",
            "db": "VULHUB",
            "id": "VHN-52615"
          },
          {
            "date": "2011-12-06T19:37:00",
            "db": "BID",
            "id": "49927"
          },
          {
            "date": "2011-12-08T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2011-003188"
          },
          {
            "date": "2011-10-18T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201110-359"
          },
          {
            "date": "2011-12-05T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201112-013"
          },
          {
            "date": "2025-04-11T00:51:21.963000",
            "db": "NVD",
            "id": "CVE-2011-4670"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-201110-359"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201112-013"
          }
        ],
        "trust": 1.2
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "vTiger CRM Cross-Site Scripting Vulnerability",
        "sources": [
          {
            "db": "IVD",
            "id": "5a5bacb6-2354-11e6-abef-000c29c66e3d"
          },
          {
            "db": "IVD",
            "id": "7d7e8b80-463f-11e9-be72-000c29342cb1"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2011-5742"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201112-013"
          }
        ],
        "trust": 1.6
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "XSS",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-201110-359"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201112-013"
          }
        ],
        "trust": 1.2
      }
    }

    VAR-201402-0420

    Vulnerability from variot - Updated: 2025-04-11 23:01

    Cross-site scripting (XSS) vulnerability in vTiger CRM 5.4.0 allows remote attackers to inject arbitrary web script or HTML via the (1) return_url parameter to modules\com_vtiger_workflow\savetemplate.php, or unspecified vectors to (2) deletetask.php, (3) edittask.php, (4) savetask.php, or (5) saveworkflow.php. (1) modules\com_vtiger_workflow\savetemplate.php of return_url Parameters (2) deletetask.php Unspecified elements (3) edittask.php Unspecified elements (4) savetask.php Unspecified elements (5) saveworkflow.php Unspecified elements. Vtiger CRM is a set of customer relationship management system (CRM) based on SugarCRM developed by Vtiger in the United States. The management system provides functions such as management, collection, and analysis of customer information. A cross-site scripting vulnerability exists in Vtiger, which stems from programs that do not properly filter input submitted by users. When a user browses an affected website, their browser will execute arbitrary script code provided by the attacker, which may cause the attacker to steal cookie-based authentication and launch other attacks. Vtiger 5.4.0 has vulnerabilities. Other versions may also be affected. [SOJOBO-ADV-13-05] - Vtiger 5.4.0 Reflected Cross Site Scripting

    I. * Information *

    Name : Vtiger 5.4.0 Reflected Cross Site Scripting Software : Vtiger 5.4.0 and possibly below. Vendor Homepage : https://www.vtiger.com/ Vulnerability Type : Reflected Cross-Site Scripting Severity : Medium (3/5) Advisory Reference : SOJOBO-ADV-13-05 (http://www.enkomio.com/Advisories) Credits: Sojobo dev team Description: A Reflected Cross Site Scripting vulnerability was discovered during the testing of Sojobo, Static Analysis Tool.

    II. * Details *

    A) Reflected Cross Site Scripting in savetemplate.php, deletetask.php, edittask.php, savetask.php and saveworkflow.php [Impact: 3/5]

    Follow a trace to reach the vulnerable code.

    File: \modules\com_vtiger_workflow\savetemplate.php 45: vtSaveWorkflowTemplate($adb, $_REQUEST); ... 37: $returnUrl = $request['return_url']; ... 40: window.location="";

    The variable 'return_url' isn't correctly validated before to be printed in the page.

    A test request is: /index.php?module=com_vtiger_workflow&action=savetemplate&return_url=">alert('xss');

    III. * Report Timeline *

    26 October 2013 - First contact 29 October 2013 - Fix announced on the new version 10 December 2013 - Fix release with the new version

    IV. * About Sojobo *

    Sojobo allows you to find security vulnerabilities in your PHP web application source code before others do. By using the state of the art techniques Sojobo is able to identify the most critical vulnerabilities in your code and limit the number of false positives

    Show details on source website

    {
      "affected_products": {
        "_id": null,
        "data": [
          {
            "_id": null,
            "model": "crm",
            "scope": "eq",
            "trust": 2.4,
            "vendor": "vtiger",
            "version": "5.4.0"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2013-006053"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201402-213"
          },
          {
            "db": "NVD",
            "id": "CVE-2013-7326"
          }
        ]
      },
      "configurations": {
        "_id": null,
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "cpe_match": [
                  {
                    "cpe22Uri": "cpe:/a:vtiger:vtiger_crm",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2013-006053"
          }
        ]
      },
      "credits": {
        "_id": null,
        "data": "Sojobo dev team",
        "sources": [
          {
            "db": "BID",
            "id": "64236"
          },
          {
            "db": "PACKETSTORM",
            "id": "124402"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201312-258"
          }
        ],
        "trust": 1.0
      },
      "cve": "CVE-2013-7326",
      "cvss": {
        "_id": null,
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "MEDIUM",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 8.6,
                "id": "CVE-2013-7326",
                "impactScore": 2.9,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 1.8,
                "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
                "version": "2.0"
              },
              {
                "accessComplexity": "MEDIUM",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "VULHUB",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 8.6,
                "id": "VHN-67328",
                "impactScore": 2.9,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 0.1,
                "vectorString": "AV:N/AC:M/AU:N/C:N/I:P/A:N",
                "version": "2.0"
              }
            ],
            "cvssV3": [],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2013-7326",
                "trust": 1.0,
                "value": "MEDIUM"
              },
              {
                "author": "NVD",
                "id": "CVE-2013-7326",
                "trust": 0.8,
                "value": "Medium"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-201402-213",
                "trust": 0.6,
                "value": "MEDIUM"
              },
              {
                "author": "VULHUB",
                "id": "VHN-67328",
                "trust": 0.1,
                "value": "MEDIUM"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-67328"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2013-006053"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201402-213"
          },
          {
            "db": "NVD",
            "id": "CVE-2013-7326"
          }
        ]
      },
      "description": {
        "_id": null,
        "data": "Cross-site scripting (XSS) vulnerability in vTiger CRM 5.4.0 allows remote attackers to inject arbitrary web script or HTML via the (1) return_url parameter to modules\\com_vtiger_workflow\\savetemplate.php, or unspecified vectors to (2) deletetask.php, (3) edittask.php, (4) savetask.php, or (5) saveworkflow.php. (1) modules\\com_vtiger_workflow\\savetemplate.php of return_url Parameters (2) deletetask.php Unspecified elements (3) edittask.php Unspecified elements (4) savetask.php Unspecified elements (5) saveworkflow.php Unspecified elements. Vtiger CRM is a set of customer relationship management system (CRM) based on SugarCRM developed by Vtiger in the United States. The management system provides functions such as management, collection, and analysis of customer information. \nA cross-site scripting vulnerability exists in Vtiger, which stems from programs that do not properly filter input submitted by users. When a user browses an affected website, their browser will execute arbitrary script code provided by the attacker, which may cause the attacker to steal cookie-based authentication and launch other attacks. Vtiger 5.4.0 has vulnerabilities. Other versions may also be affected. [SOJOBO-ADV-13-05] - Vtiger 5.4.0 Reflected Cross Site Scripting\n\n\nI. * Information *\n==================\nName : Vtiger 5.4.0 Reflected Cross Site Scripting\nSoftware : Vtiger 5.4.0 and possibly below. \nVendor Homepage : https://www.vtiger.com/\nVulnerability Type : Reflected Cross-Site Scripting\nSeverity : Medium (3/5)\nAdvisory Reference : SOJOBO-ADV-13-05 (http://www.enkomio.com/Advisories)\nCredits: Sojobo dev team\nDescription: A Reflected Cross Site Scripting vulnerability was discovered during the testing of Sojobo, Static Analysis Tool. \n\n\nII. * Details *\n===============\nA) Reflected Cross Site Scripting in savetemplate.php, deletetask.php, edittask.php, savetask.php and saveworkflow.php [Impact: 3/5]\n\n\nFollow a trace to reach the vulnerable code. \n\n\nFile: \\modules\\com_vtiger_workflow\\savetemplate.php\n45: vtSaveWorkflowTemplate($adb, $_REQUEST);\n... \n37: $returnUrl = $request[\u0027return_url\u0027];\n... \n40: window.location=\"\u003c?php echo $returnUrl?\u003e\";\n\n\nThe variable \u0027return_url\u0027 isn\u0027t correctly validated before to be printed in the page. \n\n\nA test request is: /index.php?module=com_vtiger_workflow\u0026action=savetemplate\u0026return_url=\"\u003e\u003cscript\u003ealert(\u0027xss\u0027);\u003c/script\u003e\n\n\nIII. * Report Timeline *\n========================\n\n\n26 October 2013 - First contact\n29 October 2013 - Fix announced on the new version\n10 December 2013 - Fix release with the new version\n\n\nIV. * About Sojobo *\n====================\nSojobo allows you to find security vulnerabilities in your PHP web application source code before others do. \nBy using the state of the art techniques Sojobo is able to identify the most critical vulnerabilities in your code \nand limit the number of false positives",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2013-7326"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2013-006053"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201312-258"
          },
          {
            "db": "BID",
            "id": "64236"
          },
          {
            "db": "VULHUB",
            "id": "VHN-67328"
          },
          {
            "db": "PACKETSTORM",
            "id": "124402"
          }
        ],
        "trust": 2.61
      },
      "external_ids": {
        "_id": null,
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2013-7326",
            "trust": 2.8
          },
          {
            "db": "BID",
            "id": "64236",
            "trust": 2.0
          },
          {
            "db": "PACKETSTORM",
            "id": "124402",
            "trust": 1.8
          },
          {
            "db": "OSVDB",
            "id": "100897",
            "trust": 1.7
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2013-006053",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201402-213",
            "trust": 0.7
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201312-258",
            "trust": 0.6
          },
          {
            "db": "XF",
            "id": "89662",
            "trust": 0.6
          },
          {
            "db": "BUGTRAQ",
            "id": "20131211 [SOJOBO-ADV-13-05] - VTIGER 5.4.0 REFLECTED CROSS SITE SCRIPTING",
            "trust": 0.6
          },
          {
            "db": "VULHUB",
            "id": "VHN-67328",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-67328"
          },
          {
            "db": "BID",
            "id": "64236"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2013-006053"
          },
          {
            "db": "PACKETSTORM",
            "id": "124402"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201312-258"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201402-213"
          },
          {
            "db": "NVD",
            "id": "CVE-2013-7326"
          }
        ]
      },
      "id": "VAR-201402-0420",
      "iot": {
        "_id": null,
        "data": true,
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-67328"
          }
        ],
        "trust": 0.62916664
      },
      "last_update_date": "2025-04-11T23:01:41.622000Z",
      "patch": {
        "_id": null,
        "data": [
          {
            "title": "Top Page",
            "trust": 0.8,
            "url": "https://www.vtiger.com/crm/"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2013-006053"
          }
        ]
      },
      "problemtype_data": {
        "_id": null,
        "data": [
          {
            "problemtype": "CWE-79",
            "trust": 1.9
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-67328"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2013-006053"
          },
          {
            "db": "NVD",
            "id": "CVE-2013-7326"
          }
        ]
      },
      "references": {
        "_id": null,
        "data": [
          {
            "trust": 2.5,
            "url": "http://www.enkomio.com/advisory/sojobo-adv-13-05"
          },
          {
            "trust": 1.7,
            "url": "http://www.securityfocus.com/bid/64236"
          },
          {
            "trust": 1.7,
            "url": "http://archives.neohapsis.com/archives/bugtraq/2013-12/0052.html"
          },
          {
            "trust": 1.7,
            "url": "http://packetstormsecurity.com/files/124402"
          },
          {
            "trust": 1.7,
            "url": "http://osvdb.org/100897"
          },
          {
            "trust": 1.1,
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89662"
          },
          {
            "trust": 0.8,
            "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-7326"
          },
          {
            "trust": 0.8,
            "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-7326"
          },
          {
            "trust": 0.6,
            "url": "http://xforce.iss.net/xforce/xfdb/89662"
          },
          {
            "trust": 0.3,
            "url": "http://sourceforge.net/projects/vtigercrm/files/vtiger%20crm%205.1.0/"
          },
          {
            "trust": 0.1,
            "url": "http://www.enkomio.com/advisories)"
          },
          {
            "trust": 0.1,
            "url": "https://www.vtiger.com/"
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-67328"
          },
          {
            "db": "BID",
            "id": "64236"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2013-006053"
          },
          {
            "db": "PACKETSTORM",
            "id": "124402"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201312-258"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201402-213"
          },
          {
            "db": "NVD",
            "id": "CVE-2013-7326"
          }
        ]
      },
      "sources": {
        "_id": null,
        "data": [
          {
            "db": "VULHUB",
            "id": "VHN-67328",
            "ident": null
          },
          {
            "db": "BID",
            "id": "64236",
            "ident": null
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2013-006053",
            "ident": null
          },
          {
            "db": "PACKETSTORM",
            "id": "124402",
            "ident": null
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201312-258",
            "ident": null
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201402-213",
            "ident": null
          },
          {
            "db": "NVD",
            "id": "CVE-2013-7326",
            "ident": null
          }
        ]
      },
      "sources_release_date": {
        "_id": null,
        "data": [
          {
            "date": "2014-02-14T00:00:00",
            "db": "VULHUB",
            "id": "VHN-67328",
            "ident": null
          },
          {
            "date": "2013-12-11T00:00:00",
            "db": "BID",
            "id": "64236",
            "ident": null
          },
          {
            "date": "2014-02-19T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2013-006053",
            "ident": null
          },
          {
            "date": "2013-12-12T04:41:27",
            "db": "PACKETSTORM",
            "id": "124402",
            "ident": null
          },
          {
            "date": "2013-12-13T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201312-258",
            "ident": null
          },
          {
            "date": "2014-02-18T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201402-213",
            "ident": null
          },
          {
            "date": "2014-02-14T19:55:26.717000",
            "db": "NVD",
            "id": "CVE-2013-7326",
            "ident": null
          }
        ]
      },
      "sources_update_date": {
        "_id": null,
        "data": [
          {
            "date": "2017-08-29T00:00:00",
            "db": "VULHUB",
            "id": "VHN-67328",
            "ident": null
          },
          {
            "date": "2014-02-18T15:27:00",
            "db": "BID",
            "id": "64236",
            "ident": null
          },
          {
            "date": "2014-02-19T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2013-006053",
            "ident": null
          },
          {
            "date": "2013-12-13T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201312-258",
            "ident": null
          },
          {
            "date": "2014-02-18T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201402-213",
            "ident": null
          },
          {
            "date": "2025-04-11T00:51:21.963000",
            "db": "NVD",
            "id": "CVE-2013-7326",
            "ident": null
          }
        ]
      },
      "threat_type": {
        "_id": null,
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-201312-258"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201402-213"
          }
        ],
        "trust": 1.2
      },
      "title": {
        "_id": null,
        "data": "vTiger CRM Vulnerable to cross-site scripting",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2013-006053"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "_id": null,
        "data": "xss",
        "sources": [
          {
            "db": "PACKETSTORM",
            "id": "124402"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201312-258"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201402-213"
          }
        ],
        "trust": 1.3
      }
    }

    VAR-201310-0304

    Vulnerability from variot - Updated: 2025-04-11 20:17

    SQL injection vulnerability in CalendarCommon.php in vTiger CRM 5.4.0 and possibly earlier allows remote authenticated users to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php. NOTE: this issue might be a duplicate of CVE-2011-4559. vTiger CRM of CalendarCommon.php Is SQL An injection vulnerability exists. vtiger CRM is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. vtiger CRM 5.4.0 is vulnerable; prior versions may also be affected. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information. The vulnerability is caused by the program not adequately filtering the 'onlyforuser' parameter passed to the index.php script

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-201310-0304",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.9,
            "vendor": "vtiger",
            "version": "5.2.1"
          },
          {
            "model": "crm",
            "scope": "lte",
            "trust": 1.8,
            "vendor": "vtiger",
            "version": "5.4.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "vtiger",
            "version": "5.1.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "vtiger",
            "version": "5.3.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "vtiger",
            "version": "5.0.3"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "vtiger",
            "version": "5.2.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "vtiger",
            "version": "5.0.4"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "vtiger",
            "version": "5.0.2"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "2.0.1"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "2.1"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "4.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "4.0.1"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "4.2"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "4"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "3.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "4.2.4"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "2.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "1.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "5.0.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "3.2"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.6,
            "vendor": "vtiger",
            "version": "5.4.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "5.3"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "5.2"
          }
        ],
        "sources": [
          {
            "db": "BID",
            "id": "62487"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2013-004517"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201309-373"
          },
          {
            "db": "NVD",
            "id": "CVE-2013-5091"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "cpe_match": [
                  {
                    "cpe22Uri": "cpe:/a:vtiger:vtiger_crm",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2013-004517"
          }
        ]
      },
      "credits": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/credits#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "High-Tech Bridge Security Research Lab",
        "sources": [
          {
            "db": "BID",
            "id": "62487"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201309-373"
          }
        ],
        "trust": 0.9
      },
      "cve": "CVE-2013-5091",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "SINGLE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "PARTIAL",
                "baseScore": 6.5,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 8.0,
                "id": "CVE-2013-5091",
                "impactScore": 6.4,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 1.8,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
                "version": "2.0"
              },
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "SINGLE",
                "author": "VULHUB",
                "availabilityImpact": "PARTIAL",
                "baseScore": 6.5,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 8.0,
                "id": "VHN-65093",
                "impactScore": 6.4,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 0.1,
                "vectorString": "AV:N/AC:L/AU:S/C:P/I:P/A:P",
                "version": "2.0"
              }
            ],
            "cvssV3": [],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2013-5091",
                "trust": 1.0,
                "value": "MEDIUM"
              },
              {
                "author": "NVD",
                "id": "CVE-2013-5091",
                "trust": 0.8,
                "value": "Medium"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-201309-373",
                "trust": 0.6,
                "value": "MEDIUM"
              },
              {
                "author": "VULHUB",
                "id": "VHN-65093",
                "trust": 0.1,
                "value": "MEDIUM"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-65093"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2013-004517"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201309-373"
          },
          {
            "db": "NVD",
            "id": "CVE-2013-5091"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "SQL injection vulnerability in CalendarCommon.php in vTiger CRM 5.4.0 and possibly earlier allows remote authenticated users to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php.  NOTE: this issue might be a duplicate of CVE-2011-4559. vTiger CRM of CalendarCommon.php Is SQL An injection vulnerability exists. vtiger CRM is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. \nExploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. \nvtiger CRM 5.4.0 is vulnerable; prior versions may also be affected. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information. The vulnerability is caused by the program not adequately filtering the \u0027onlyforuser\u0027 parameter passed to the index.php script",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2013-5091"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2013-004517"
          },
          {
            "db": "BID",
            "id": "62487"
          },
          {
            "db": "VULHUB",
            "id": "VHN-65093"
          }
        ],
        "trust": 1.98
      },
      "exploit_availability": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "reference": "https://www.scap.org.cn/vuln/vhn-65093",
            "trust": 0.1,
            "type": "unknown"
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-65093"
          }
        ]
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2013-5091",
            "trust": 2.8
          },
          {
            "db": "IMMUNIWEB",
            "id": "HTB23168",
            "trust": 1.7
          },
          {
            "db": "EXPLOIT-DB",
            "id": "28409",
            "trust": 1.7
          },
          {
            "db": "OSVDB",
            "id": "76138",
            "trust": 1.7
          },
          {
            "db": "BID",
            "id": "62487",
            "trust": 1.0
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2013-004517",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201309-373",
            "trust": 0.7
          },
          {
            "db": "BUGTRAQ",
            "id": "20130918 SQL INJECTION IN VTIGER CRM",
            "trust": 0.6
          },
          {
            "db": "PACKETSTORM",
            "id": "123296",
            "trust": 0.1
          },
          {
            "db": "SEEBUG",
            "id": "SSVID-81979",
            "trust": 0.1
          },
          {
            "db": "VULHUB",
            "id": "VHN-65093",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-65093"
          },
          {
            "db": "BID",
            "id": "62487"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2013-004517"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201309-373"
          },
          {
            "db": "NVD",
            "id": "CVE-2013-5091"
          }
        ]
      },
      "id": "VAR-201310-0304",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-65093"
          }
        ],
        "trust": 0.62916664
      },
      "last_update_date": "2025-04-11T20:17:34.459000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "vtiger CRM 5.4.0 (Patch Information)",
            "trust": 0.8,
            "url": "http://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%205.4.0/Core%20Product/"
          },
          {
            "title": "Top Page",
            "trust": 0.8,
            "url": "https://www.vtiger.com/crm/"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2013-004517"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-89",
            "trust": 1.9
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-65093"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2013-004517"
          },
          {
            "db": "NVD",
            "id": "CVE-2013-5091"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.5,
            "url": "http://archives.neohapsis.com/archives/bugtraq/2013-09/0079.html"
          },
          {
            "trust": 1.7,
            "url": "http://sourceforge.net/projects/vtigercrm/files/vtiger%20crm%205.4.0/core%20product/"
          },
          {
            "trust": 1.7,
            "url": "http://www.exploit-db.com/exploits/28409"
          },
          {
            "trust": 1.7,
            "url": "https://www.htbridge.com/advisory/htb23168"
          },
          {
            "trust": 1.7,
            "url": "http://osvdb.org/76138"
          },
          {
            "trust": 0.8,
            "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-5091"
          },
          {
            "trust": 0.8,
            "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-5091"
          },
          {
            "trust": 0.6,
            "url": "http://www.securityfocus.com/bid/62487"
          },
          {
            "trust": 0.3,
            "url": "http://www.vtiger.com/"
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-65093"
          },
          {
            "db": "BID",
            "id": "62487"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2013-004517"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201309-373"
          },
          {
            "db": "NVD",
            "id": "CVE-2013-5091"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULHUB",
            "id": "VHN-65093"
          },
          {
            "db": "BID",
            "id": "62487"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2013-004517"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201309-373"
          },
          {
            "db": "NVD",
            "id": "CVE-2013-5091"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2013-10-04T00:00:00",
            "db": "VULHUB",
            "id": "VHN-65093"
          },
          {
            "date": "2013-09-18T00:00:00",
            "db": "BID",
            "id": "62487"
          },
          {
            "date": "2013-10-08T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2013-004517"
          },
          {
            "date": "2013-09-24T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201309-373"
          },
          {
            "date": "2013-10-04T20:55:03.857000",
            "db": "NVD",
            "id": "CVE-2013-5091"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2018-10-30T00:00:00",
            "db": "VULHUB",
            "id": "VHN-65093"
          },
          {
            "date": "2013-09-18T00:00:00",
            "db": "BID",
            "id": "62487"
          },
          {
            "date": "2013-10-08T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2013-004517"
          },
          {
            "date": "2013-10-08T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201309-373"
          },
          {
            "date": "2025-04-11T00:51:21.963000",
            "db": "NVD",
            "id": "CVE-2013-5091"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-201309-373"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "vTiger CRM of  CalendarCommon.php In  SQL Injection vulnerability",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2013-004517"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "SQL injection",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-201309-373"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-201111-0152

    Vulnerability from variot - Updated: 2025-04-11 19:37

    SQL injection vulnerability in the Calendar module in vTiger CRM 5.2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php. Vtiger CRM is a Web-based Sales Capability Automation (SFA)-based Customer Relationship Management System (CRM). vtiger CRM is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. vtiger CRM 5.2.1 is vulnerable; prior versions may also be affected. The management system provides functions such as management, collection, and analysis of customer information

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-201111-0152",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "crm",
            "scope": "lte",
            "trust": 1.8,
            "vendor": "vtiger",
            "version": "5.2.1"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "vtiger",
            "version": "2.0.1"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "vtiger",
            "version": "4.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "vtiger",
            "version": "2.1"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "vtiger",
            "version": "3.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "vtiger",
            "version": "2.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "vtiger",
            "version": "4.0.1"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "vtiger",
            "version": "3.2"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "vtiger",
            "version": "1.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "vtiger",
            "version": "4.2"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "4.2.4"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "5.2.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "5.0.2"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "5.0.3"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "5.0.4"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "5.1.0"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.9,
            "vendor": "vtiger",
            "version": "5.2.1"
          },
          {
            "model": null,
            "scope": "eq",
            "trust": 0.8,
            "vendor": "vtiger crm",
            "version": "3.0"
          },
          {
            "model": null,
            "scope": "eq",
            "trust": 0.8,
            "vendor": "vtiger crm",
            "version": "4.2"
          },
          {
            "model": null,
            "scope": "eq",
            "trust": 0.8,
            "vendor": "vtiger crm",
            "version": "5.0.4"
          },
          {
            "model": null,
            "scope": "eq",
            "trust": 0.8,
            "vendor": "vtiger crm",
            "version": "5.1.0"
          },
          {
            "model": null,
            "scope": "eq",
            "trust": 0.4,
            "vendor": "vtiger crm",
            "version": "1.0"
          },
          {
            "model": null,
            "scope": "eq",
            "trust": 0.4,
            "vendor": "vtiger crm",
            "version": "2.0"
          },
          {
            "model": null,
            "scope": "eq",
            "trust": 0.4,
            "vendor": "vtiger crm",
            "version": "2.0.1"
          },
          {
            "model": null,
            "scope": "eq",
            "trust": 0.4,
            "vendor": "vtiger crm",
            "version": "2.1"
          },
          {
            "model": null,
            "scope": "eq",
            "trust": 0.4,
            "vendor": "vtiger crm",
            "version": "3.2"
          },
          {
            "model": null,
            "scope": "eq",
            "trust": 0.4,
            "vendor": "vtiger crm",
            "version": "4.0"
          },
          {
            "model": null,
            "scope": "eq",
            "trust": 0.4,
            "vendor": "vtiger crm",
            "version": "4.0.1"
          },
          {
            "model": null,
            "scope": "eq",
            "trust": 0.4,
            "vendor": "vtiger crm",
            "version": "4.2.4"
          },
          {
            "model": null,
            "scope": "eq",
            "trust": 0.4,
            "vendor": "vtiger crm",
            "version": "5.0.2"
          },
          {
            "model": null,
            "scope": "eq",
            "trust": 0.4,
            "vendor": "vtiger crm",
            "version": "5.0.3"
          },
          {
            "model": null,
            "scope": "eq",
            "trust": 0.4,
            "vendor": "vtiger crm",
            "version": "5.2.0"
          },
          {
            "model": null,
            "scope": "eq",
            "trust": 0.4,
            "vendor": "vtiger crm",
            "version": "*"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "5.2"
          }
        ],
        "sources": [
          {
            "db": "IVD",
            "id": "7d7d2bf1-463f-11e9-a163-000c29342cb1"
          },
          {
            "db": "IVD",
            "id": "5e7e5136-2354-11e6-abef-000c29c66e3d"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2011-5753"
          },
          {
            "db": "BID",
            "id": "49948"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003104"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201111-458"
          },
          {
            "db": "NVD",
            "id": "CVE-2011-4559"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "cpe_match": [
                  {
                    "cpe22Uri": "cpe:/a:vtiger:vtiger_crm",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003104"
          }
        ]
      },
      "credits": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/credits#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Aung Khant, YGN Ethical Hacker Group and Myanmar",
        "sources": [
          {
            "db": "BID",
            "id": "49948"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201110-300"
          }
        ],
        "trust": 0.9
      },
      "cve": "CVE-2011-4559",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "PARTIAL",
                "baseScore": 7.5,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 10.0,
                "id": "CVE-2011-4559",
                "impactScore": 6.4,
                "integrityImpact": "PARTIAL",
                "severity": "HIGH",
                "trust": 1.8,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
                "version": "2.0"
              },
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "CNVD",
                "availabilityImpact": "NONE",
                "baseScore": 5.0,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 10.0,
                "id": "CNVD-2011-5753",
                "impactScore": 2.9,
                "integrityImpact": "NONE",
                "severity": "MEDIUM",
                "trust": 0.6,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
                "version": "2.0"
              },
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "IVD",
                "availabilityImpact": "NONE",
                "baseScore": 5.0,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 10.0,
                "id": "7d7d2bf1-463f-11e9-a163-000c29342cb1",
                "impactScore": 2.9,
                "integrityImpact": "NONE",
                "severity": "MEDIUM",
                "trust": 0.2,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
                "version": "2.9 [IVD]"
              },
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "IVD",
                "availabilityImpact": "NONE",
                "baseScore": 5.0,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 10.0,
                "id": "5e7e5136-2354-11e6-abef-000c29c66e3d",
                "impactScore": 2.9,
                "integrityImpact": "NONE",
                "severity": "MEDIUM",
                "trust": 0.2,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
                "version": "2.9 [IVD]"
              },
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "VULHUB",
                "availabilityImpact": "PARTIAL",
                "baseScore": 7.5,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 10.0,
                "id": "VHN-52504",
                "impactScore": 6.4,
                "integrityImpact": "PARTIAL",
                "severity": "HIGH",
                "trust": 0.1,
                "vectorString": "AV:N/AC:L/AU:N/C:P/I:P/A:P",
                "version": "2.0"
              }
            ],
            "cvssV3": [],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2011-4559",
                "trust": 1.0,
                "value": "HIGH"
              },
              {
                "author": "NVD",
                "id": "CVE-2011-4559",
                "trust": 0.8,
                "value": "High"
              },
              {
                "author": "CNVD",
                "id": "CNVD-2011-5753",
                "trust": 0.6,
                "value": "MEDIUM"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-201111-458",
                "trust": 0.6,
                "value": "HIGH"
              },
              {
                "author": "IVD",
                "id": "7d7d2bf1-463f-11e9-a163-000c29342cb1",
                "trust": 0.2,
                "value": "HIGH"
              },
              {
                "author": "IVD",
                "id": "5e7e5136-2354-11e6-abef-000c29c66e3d",
                "trust": 0.2,
                "value": "HIGH"
              },
              {
                "author": "VULHUB",
                "id": "VHN-52504",
                "trust": 0.1,
                "value": "HIGH"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "IVD",
            "id": "7d7d2bf1-463f-11e9-a163-000c29342cb1"
          },
          {
            "db": "IVD",
            "id": "5e7e5136-2354-11e6-abef-000c29c66e3d"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2011-5753"
          },
          {
            "db": "VULHUB",
            "id": "VHN-52504"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003104"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201111-458"
          },
          {
            "db": "NVD",
            "id": "CVE-2011-4559"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "SQL injection vulnerability in the Calendar module in vTiger CRM 5.2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php. Vtiger CRM is a Web-based Sales Capability Automation (SFA)-based Customer Relationship Management System (CRM). vtiger CRM is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. \nExploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. \nvtiger CRM 5.2.1 is vulnerable; prior versions may also be affected. The management system provides functions such as management, collection, and analysis of customer information",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2011-4559"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003104"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2011-5753"
          },
          {
            "db": "BID",
            "id": "49948"
          },
          {
            "db": "IVD",
            "id": "7d7d2bf1-463f-11e9-a163-000c29342cb1"
          },
          {
            "db": "IVD",
            "id": "5e7e5136-2354-11e6-abef-000c29c66e3d"
          },
          {
            "db": "VULHUB",
            "id": "VHN-52504"
          }
        ],
        "trust": 2.88
      },
      "exploit_availability": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "reference": "https://www.scap.org.cn/vuln/vhn-52504",
            "trust": 0.1,
            "type": "unknown"
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-52504"
          }
        ]
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2011-4559",
            "trust": 3.8
          },
          {
            "db": "BID",
            "id": "49948",
            "trust": 3.2
          },
          {
            "db": "OSVDB",
            "id": "76138",
            "trust": 1.7
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201111-458",
            "trust": 1.1
          },
          {
            "db": "CNVD",
            "id": "CNVD-2011-5753",
            "trust": 1.0
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003104",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201110-300",
            "trust": 0.6
          },
          {
            "db": "XF",
            "id": "70344",
            "trust": 0.6
          },
          {
            "db": "FULLDISC",
            "id": "20111005 VTIGER CRM 5.2.X \u003c= BLIND SQL INJECTION VULNERABILITY",
            "trust": 0.6
          },
          {
            "db": "BUGTRAQ",
            "id": "20111005 VTIGER CRM 5.2.X \u003c= BLIND SQL INJECTION VULNERABILITY",
            "trust": 0.6
          },
          {
            "db": "IVD",
            "id": "7D7D2BF1-463F-11E9-A163-000C29342CB1",
            "trust": 0.2
          },
          {
            "db": "IVD",
            "id": "5E7E5136-2354-11E6-ABEF-000C29C66E3D",
            "trust": 0.2
          },
          {
            "db": "EXPLOIT-DB",
            "id": "36208",
            "trust": 0.1
          },
          {
            "db": "VULHUB",
            "id": "VHN-52504",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "IVD",
            "id": "7d7d2bf1-463f-11e9-a163-000c29342cb1"
          },
          {
            "db": "IVD",
            "id": "5e7e5136-2354-11e6-abef-000c29c66e3d"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2011-5753"
          },
          {
            "db": "VULHUB",
            "id": "VHN-52504"
          },
          {
            "db": "BID",
            "id": "49948"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003104"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201110-300"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201111-458"
          },
          {
            "db": "NVD",
            "id": "CVE-2011-4559"
          }
        ]
      },
      "id": "VAR-201111-0152",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "IVD",
            "id": "7d7d2bf1-463f-11e9-a163-000c29342cb1"
          },
          {
            "db": "IVD",
            "id": "5e7e5136-2354-11e6-abef-000c29c66e3d"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2011-5753"
          },
          {
            "db": "VULHUB",
            "id": "VHN-52504"
          }
        ],
        "trust": 1.6291666400000002
      },
      "iot_taxonomy": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "category": [
              "ICS"
            ],
            "sub_category": null,
            "trust": 1.0
          }
        ],
        "sources": [
          {
            "db": "IVD",
            "id": "7d7d2bf1-463f-11e9-a163-000c29342cb1"
          },
          {
            "db": "IVD",
            "id": "5e7e5136-2354-11e6-abef-000c29c66e3d"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2011-5753"
          }
        ]
      },
      "last_update_date": "2025-04-11T19:37:48.477000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Top Page",
            "trust": 0.8,
            "url": "http://www.vtigercrm.jp/home"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003104"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-89",
            "trust": 1.9
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-52504"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003104"
          },
          {
            "db": "NVD",
            "id": "CVE-2011-4559"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.9,
            "url": "http://www.securityfocus.com/bid/49948"
          },
          {
            "trust": 2.0,
            "url": "http://yehg.net/lab/pr0js/advisories/%5bvtiger_5.2.1%5d_blind_sqlin"
          },
          {
            "trust": 1.7,
            "url": "http://seclists.org/fulldisclosure/2011/oct/224"
          },
          {
            "trust": 1.7,
            "url": "http://osvdb.org/76138"
          },
          {
            "trust": 1.1,
            "url": "http://www.securityfocus.com/archive/1/520006/100/0/threaded"
          },
          {
            "trust": 1.1,
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/70344"
          },
          {
            "trust": 0.8,
            "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-4559"
          },
          {
            "trust": 0.8,
            "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-4559"
          },
          {
            "trust": 0.6,
            "url": "http://xforce.iss.net/xforce/xfdb/70344"
          },
          {
            "trust": 0.6,
            "url": "http://www.securityfocus.com/archive/1/archive/1/520006/100/0/threaded"
          },
          {
            "trust": 0.3,
            "url": "http://www.vtiger.com/"
          },
          {
            "trust": 0.3,
            "url": "https://secure.wikimedia.org/wikipedia/en/wiki/vtiger_crm"
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2011-5753"
          },
          {
            "db": "VULHUB",
            "id": "VHN-52504"
          },
          {
            "db": "BID",
            "id": "49948"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003104"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201110-300"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201111-458"
          },
          {
            "db": "NVD",
            "id": "CVE-2011-4559"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "IVD",
            "id": "7d7d2bf1-463f-11e9-a163-000c29342cb1"
          },
          {
            "db": "IVD",
            "id": "5e7e5136-2354-11e6-abef-000c29c66e3d"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2011-5753"
          },
          {
            "db": "VULHUB",
            "id": "VHN-52504"
          },
          {
            "db": "BID",
            "id": "49948"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2011-003104"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201110-300"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201111-458"
          },
          {
            "db": "NVD",
            "id": "CVE-2011-4559"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2011-11-30T00:00:00",
            "db": "IVD",
            "id": "7d7d2bf1-463f-11e9-a163-000c29342cb1"
          },
          {
            "date": "2011-11-30T00:00:00",
            "db": "IVD",
            "id": "5e7e5136-2354-11e6-abef-000c29c66e3d"
          },
          {
            "date": "2011-11-30T00:00:00",
            "db": "CNVD",
            "id": "CNVD-2011-5753"
          },
          {
            "date": "2011-11-28T00:00:00",
            "db": "VULHUB",
            "id": "VHN-52504"
          },
          {
            "date": "2011-10-05T00:00:00",
            "db": "BID",
            "id": "49948"
          },
          {
            "date": "2011-11-30T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2011-003104"
          },
          {
            "date": "1900-01-01T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201110-300"
          },
          {
            "date": "2011-11-30T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201111-458"
          },
          {
            "date": "2011-11-28T21:55:07.997000",
            "db": "NVD",
            "id": "CVE-2011-4559"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2011-11-30T00:00:00",
            "db": "CNVD",
            "id": "CNVD-2011-5753"
          },
          {
            "date": "2018-10-09T00:00:00",
            "db": "VULHUB",
            "id": "VHN-52504"
          },
          {
            "date": "2011-12-05T18:07:00",
            "db": "BID",
            "id": "49948"
          },
          {
            "date": "2011-11-30T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2011-003104"
          },
          {
            "date": "2011-10-18T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201110-300"
          },
          {
            "date": "2011-11-30T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201111-458"
          },
          {
            "date": "2025-04-11T00:51:21.963000",
            "db": "NVD",
            "id": "CVE-2011-4559"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-201110-300"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201111-458"
          }
        ],
        "trust": 1.2
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "vTiger CRM Calendar Module SQL Injection Vulnerability",
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2011-5753"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201111-458"
          }
        ],
        "trust": 1.2
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "SQL injection",
        "sources": [
          {
            "db": "IVD",
            "id": "7d7d2bf1-463f-11e9-a163-000c29342cb1"
          },
          {
            "db": "IVD",
            "id": "5e7e5136-2354-11e6-abef-000c29c66e3d"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201110-300"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201111-458"
          }
        ],
        "trust": 1.6
      }
    }

    VAR-200707-0378

    Vulnerability from variot - Updated: 2025-04-10 23:25

    SQL injection vulnerability in the dashboard (include/utils/SearchUtils.php) in vtiger CRM before 5.0.3 allows remote authenticated users to execute arbitrary SQL commands via the assigned_user_id parameter in a Potentials ListView action to index.php. vtiger CRM is prone to a sql-injection vulnerability

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-200707-0378",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "crm",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "5.0.2"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.9,
            "vendor": "vtiger",
            "version": "5.0.2"
          },
          {
            "model": "crm",
            "scope": "lt",
            "trust": 0.8,
            "vendor": "vtiger",
            "version": "5.0.3"
          }
        ],
        "sources": [
          {
            "db": "BID",
            "id": "81654"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005822"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-100"
          },
          {
            "db": "NVD",
            "id": "CVE-2007-3603"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "cpe_match": [
                  {
                    "cpe22Uri": "cpe:/a:vtiger:vtiger_crm",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005822"
          }
        ]
      },
      "credits": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/credits#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Unknown",
        "sources": [
          {
            "db": "BID",
            "id": "81654"
          }
        ],
        "trust": 0.3
      },
      "cve": "CVE-2007-3603",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "SINGLE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "PARTIAL",
                "baseScore": 6.5,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 8.0,
                "id": "CVE-2007-3603",
                "impactScore": 6.4,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 1.8,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
                "version": "2.0"
              },
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "SINGLE",
                "author": "VULHUB",
                "availabilityImpact": "PARTIAL",
                "baseScore": 6.5,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 8.0,
                "id": "VHN-26965",
                "impactScore": 6.4,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 0.1,
                "vectorString": "AV:N/AC:L/AU:S/C:P/I:P/A:P",
                "version": "2.0"
              }
            ],
            "cvssV3": [],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2007-3603",
                "trust": 1.0,
                "value": "MEDIUM"
              },
              {
                "author": "NVD",
                "id": "CVE-2007-3603",
                "trust": 0.8,
                "value": "Medium"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-200707-100",
                "trust": 0.6,
                "value": "MEDIUM"
              },
              {
                "author": "VULHUB",
                "id": "VHN-26965",
                "trust": 0.1,
                "value": "MEDIUM"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-26965"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005822"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-100"
          },
          {
            "db": "NVD",
            "id": "CVE-2007-3603"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "SQL injection vulnerability in the dashboard (include/utils/SearchUtils.php) in vtiger CRM before 5.0.3 allows remote authenticated users to execute arbitrary SQL commands via the assigned_user_id parameter in a Potentials ListView action to index.php. vtiger CRM is prone to a sql-injection vulnerability",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2007-3603"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005822"
          },
          {
            "db": "BID",
            "id": "81654"
          },
          {
            "db": "VULHUB",
            "id": "VHN-26965"
          }
        ],
        "trust": 1.98
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2007-3603",
            "trust": 2.8
          },
          {
            "db": "OSVDB",
            "id": "45782",
            "trust": 1.7
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005822",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-100",
            "trust": 0.6
          },
          {
            "db": "BID",
            "id": "81654",
            "trust": 0.4
          },
          {
            "db": "VULHUB",
            "id": "VHN-26965",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-26965"
          },
          {
            "db": "BID",
            "id": "81654"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005822"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-100"
          },
          {
            "db": "NVD",
            "id": "CVE-2007-3603"
          }
        ]
      },
      "id": "VAR-200707-0378",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-26965"
          }
        ],
        "trust": 0.62916664
      },
      "last_update_date": "2025-04-10T23:25:44.762000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "3196",
            "trust": 0.8,
            "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3196"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005822"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "NVD-CWE-Other",
            "trust": 1.0
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2007-3603"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.0,
            "url": "http://forums.vtiger.com/viewtopic.php?p=44717"
          },
          {
            "trust": 2.0,
            "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
          },
          {
            "trust": 2.0,
            "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3196"
          },
          {
            "trust": 2.0,
            "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/10423"
          },
          {
            "trust": 1.7,
            "url": "http://osvdb.org/45782"
          },
          {
            "trust": 0.8,
            "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-3603"
          },
          {
            "trust": 0.8,
            "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2007-3603"
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-26965"
          },
          {
            "db": "BID",
            "id": "81654"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005822"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-100"
          },
          {
            "db": "NVD",
            "id": "CVE-2007-3603"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULHUB",
            "id": "VHN-26965"
          },
          {
            "db": "BID",
            "id": "81654"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005822"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-100"
          },
          {
            "db": "NVD",
            "id": "CVE-2007-3603"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2007-07-06T00:00:00",
            "db": "VULHUB",
            "id": "VHN-26965"
          },
          {
            "date": "2007-07-06T00:00:00",
            "db": "BID",
            "id": "81654"
          },
          {
            "date": "2012-12-20T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2007-005822"
          },
          {
            "date": "2007-07-06T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-200707-100"
          },
          {
            "date": "2007-07-06T19:30:00",
            "db": "NVD",
            "id": "CVE-2007-3603"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2008-11-13T00:00:00",
            "db": "VULHUB",
            "id": "VHN-26965"
          },
          {
            "date": "2007-07-06T00:00:00",
            "db": "BID",
            "id": "81654"
          },
          {
            "date": "2012-12-20T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2007-005822"
          },
          {
            "date": "2007-07-11T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-200707-100"
          },
          {
            "date": "2025-04-09T00:30:58.490000",
            "db": "NVD",
            "id": "CVE-2007-3603"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-100"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "vtiger CRM of  dashboard In  SQL Injection vulnerability",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005822"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "SQL injection",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-100"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-200610-0315

    Vulnerability from variot - Updated: 2025-04-10 23:25

    Multiple PHP remote file inclusion vulnerabilities in Vtiger CRM 4.2 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the calpath parameter to (1) modules/Calendar/admin/update.php, (2) modules/Calendar/admin/scheme.php, or (3) modules/Calendar/calendar.php. (1) modules/Calendar/admin/update.php To calpath Parameters (2) modules/Calendar/admin/scheme.php To calpath Parameters (3) modules/Calendar/calendar.php To calpath Parameters. vtiger CRM is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. This may allow an attacker to compromise the application and the underlying system; other attacks are also possible. vtiger CRM 4.2 and prior versions are vulnerable; other versions may also be affected

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-200610-0315",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "crm",
            "scope": "eq",
            "trust": 1.9,
            "vendor": "vtiger",
            "version": "4.2"
          },
          {
            "model": "crm",
            "scope": "lte",
            "trust": 0.8,
            "vendor": "vtiger",
            "version": "4.2"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vtiger",
            "version": "4.2.4"
          }
        ],
        "sources": [
          {
            "db": "BID",
            "id": "20435"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2006-003290"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200610-203"
          },
          {
            "db": "NVD",
            "id": "CVE-2006-5289"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "cpe_match": [
                  {
                    "cpe22Uri": "cpe:/a:vtiger:vtiger_crm",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2006-003290"
          }
        ]
      },
      "credits": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/credits#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Dedi Dwianto is credited with the discovery of these vulnerabilities.",
        "sources": [
          {
            "db": "BID",
            "id": "20435"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200610-203"
          }
        ],
        "trust": 0.9
      },
      "cve": "CVE-2006-5289",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "PARTIAL",
                "baseScore": 7.5,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 10.0,
                "id": "CVE-2006-5289",
                "impactScore": 6.4,
                "integrityImpact": "PARTIAL",
                "severity": "HIGH",
                "trust": 1.8,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
                "version": "2.0"
              },
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "VULHUB",
                "availabilityImpact": "PARTIAL",
                "baseScore": 7.5,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 10.0,
                "id": "VHN-21397",
                "impactScore": 6.4,
                "integrityImpact": "PARTIAL",
                "severity": "HIGH",
                "trust": 0.1,
                "vectorString": "AV:N/AC:L/AU:N/C:P/I:P/A:P",
                "version": "2.0"
              }
            ],
            "cvssV3": [],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2006-5289",
                "trust": 1.0,
                "value": "HIGH"
              },
              {
                "author": "NVD",
                "id": "CVE-2006-5289",
                "trust": 0.8,
                "value": "High"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-200610-203",
                "trust": 0.6,
                "value": "HIGH"
              },
              {
                "author": "VULHUB",
                "id": "VHN-21397",
                "trust": 0.1,
                "value": "HIGH"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-21397"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2006-003290"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200610-203"
          },
          {
            "db": "NVD",
            "id": "CVE-2006-5289"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Multiple PHP remote file inclusion vulnerabilities in Vtiger CRM 4.2 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the calpath parameter to (1) modules/Calendar/admin/update.php, (2) modules/Calendar/admin/scheme.php, or (3) modules/Calendar/calendar.php. (1) modules/Calendar/admin/update.php To calpath Parameters (2) modules/Calendar/admin/scheme.php To calpath Parameters (3) modules/Calendar/calendar.php To calpath Parameters. vtiger CRM is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. \nThis may allow an attacker to compromise the application and the underlying system; other attacks are also possible. \nvtiger CRM 4.2 and prior versions are vulnerable; other versions may also be affected",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2006-5289"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2006-003290"
          },
          {
            "db": "BID",
            "id": "20435"
          },
          {
            "db": "VULHUB",
            "id": "VHN-21397"
          }
        ],
        "trust": 1.98
      },
      "exploit_availability": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "reference": "https://www.scap.org.cn/vuln/vhn-21397",
            "trust": 0.1,
            "type": "unknown"
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-21397"
          }
        ]
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2006-5289",
            "trust": 2.5
          },
          {
            "db": "BID",
            "id": "20435",
            "trust": 2.0
          },
          {
            "db": "SREASON",
            "id": "1722",
            "trust": 1.7
          },
          {
            "db": "EXPLOIT-DB",
            "id": "2508",
            "trust": 1.7
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2006-003290",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200610-203",
            "trust": 0.7
          },
          {
            "db": "BUGTRAQ",
            "id": "20061009 [ECHO_ADV_54$2006]VTIGER CRM \u003c=4.2 (CALPATH) MULTIPLE REMOTE FILE INCLUSION VULNERABILITY",
            "trust": 0.6
          },
          {
            "db": "MILW0RM",
            "id": "2508",
            "trust": 0.6
          },
          {
            "db": "XF",
            "id": "29416",
            "trust": 0.6
          },
          {
            "db": "SEEBUG",
            "id": "SSVID-64076",
            "trust": 0.1
          },
          {
            "db": "VULHUB",
            "id": "VHN-21397",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-21397"
          },
          {
            "db": "BID",
            "id": "20435"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2006-003290"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200610-203"
          },
          {
            "db": "NVD",
            "id": "CVE-2006-5289"
          }
        ]
      },
      "id": "VAR-200610-0315",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-21397"
          }
        ],
        "trust": 0.62916664
      },
      "last_update_date": "2025-04-10T23:25:12.950000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "vtiger CRM",
            "trust": 0.8,
            "url": "https://www.vtiger.com/crm/"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2006-003290"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "NVD-CWE-Other",
            "trust": 1.0
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2006-5289"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 1.7,
            "url": "http://www.securityfocus.com/bid/20435"
          },
          {
            "trust": 1.7,
            "url": "http://advisories.echo.or.id/adv/adv54-theday-2006.txt"
          },
          {
            "trust": 1.7,
            "url": "http://securityreason.com/securityalert/1722"
          },
          {
            "trust": 1.1,
            "url": "http://www.securityfocus.com/archive/1/448092/100/0/threaded"
          },
          {
            "trust": 1.1,
            "url": "https://www.exploit-db.com/exploits/2508"
          },
          {
            "trust": 1.1,
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/29416"
          },
          {
            "trust": 0.8,
            "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2006-5289"
          },
          {
            "trust": 0.8,
            "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2006-5289"
          },
          {
            "trust": 0.6,
            "url": "http://xforce.iss.net/xforce/xfdb/29416"
          },
          {
            "trust": 0.6,
            "url": "http://www.securityfocus.com/archive/1/archive/1/448092/100/0/threaded"
          },
          {
            "trust": 0.6,
            "url": "http://www.milw0rm.com/exploits/2508"
          },
          {
            "trust": 0.6,
            "url": "http://milw0rm.com/exploits/2508"
          },
          {
            "trust": 0.3,
            "url": "http://www.vtiger.com/"
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-21397"
          },
          {
            "db": "BID",
            "id": "20435"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2006-003290"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200610-203"
          },
          {
            "db": "NVD",
            "id": "CVE-2006-5289"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULHUB",
            "id": "VHN-21397"
          },
          {
            "db": "BID",
            "id": "20435"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2006-003290"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200610-203"
          },
          {
            "db": "NVD",
            "id": "CVE-2006-5289"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2006-10-13T00:00:00",
            "db": "VULHUB",
            "id": "VHN-21397"
          },
          {
            "date": "2006-10-10T00:00:00",
            "db": "BID",
            "id": "20435"
          },
          {
            "date": "2012-12-20T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2006-003290"
          },
          {
            "date": "2006-10-13T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-200610-203"
          },
          {
            "date": "2006-10-13T20:07:00",
            "db": "NVD",
            "id": "CVE-2006-5289"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2018-10-17T00:00:00",
            "db": "VULHUB",
            "id": "VHN-21397"
          },
          {
            "date": "2006-10-12T19:49:00",
            "db": "BID",
            "id": "20435"
          },
          {
            "date": "2012-12-20T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2006-003290"
          },
          {
            "date": "2006-10-16T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-200610-203"
          },
          {
            "date": "2025-04-09T00:30:58.490000",
            "db": "NVD",
            "id": "CVE-2006-5289"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-200610-203"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Vtiger CRM In  PHP Remote file inclusion vulnerability",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2006-003290"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "input validation",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-200610-203"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-200707-0374

    Vulnerability from variot - Updated: 2025-04-10 23:25

    vtiger CRM before 5.0.3 allows remote authenticated users to import and export the information for a contact even when they only have the View permission. vtiger CRM is prone to a remote security vulnerability

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-200707-0374",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "crm",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "5.0.2"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.9,
            "vendor": "vtiger",
            "version": "5.0.2"
          },
          {
            "model": "crm",
            "scope": "lt",
            "trust": 0.8,
            "vendor": "vtiger",
            "version": "5.0.3"
          }
        ],
        "sources": [
          {
            "db": "BID",
            "id": "85628"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005818"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-108"
          },
          {
            "db": "NVD",
            "id": "CVE-2007-3599"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "cpe_match": [
                  {
                    "cpe22Uri": "cpe:/a:vtiger:vtiger_crm",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005818"
          }
        ]
      },
      "credits": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/credits#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Unknown",
        "sources": [
          {
            "db": "BID",
            "id": "85628"
          }
        ],
        "trust": 0.3
      },
      "cve": "CVE-2007-3599",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "SINGLE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "NONE",
                "baseScore": 8.5,
                "confidentialityImpact": "COMPLETE",
                "exploitabilityScore": 8.0,
                "id": "CVE-2007-3599",
                "impactScore": 9.2,
                "integrityImpact": "COMPLETE",
                "severity": "HIGH",
                "trust": 1.8,
                "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:N",
                "version": "2.0"
              },
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "SINGLE",
                "author": "VULHUB",
                "availabilityImpact": "NONE",
                "baseScore": 8.5,
                "confidentialityImpact": "COMPLETE",
                "exploitabilityScore": 8.0,
                "id": "VHN-26961",
                "impactScore": 9.2,
                "integrityImpact": "COMPLETE",
                "severity": "HIGH",
                "trust": 0.1,
                "vectorString": "AV:N/AC:L/AU:S/C:C/I:C/A:N",
                "version": "2.0"
              }
            ],
            "cvssV3": [],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2007-3599",
                "trust": 1.0,
                "value": "HIGH"
              },
              {
                "author": "NVD",
                "id": "CVE-2007-3599",
                "trust": 0.8,
                "value": "High"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-200707-108",
                "trust": 0.6,
                "value": "HIGH"
              },
              {
                "author": "VULHUB",
                "id": "VHN-26961",
                "trust": 0.1,
                "value": "HIGH"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-26961"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005818"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-108"
          },
          {
            "db": "NVD",
            "id": "CVE-2007-3599"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "vtiger CRM before 5.0.3 allows remote authenticated users to import and export the information for a contact even when they only have the View permission. vtiger CRM is prone to a remote security vulnerability",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2007-3599"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005818"
          },
          {
            "db": "BID",
            "id": "85628"
          },
          {
            "db": "VULHUB",
            "id": "VHN-26961"
          }
        ],
        "trust": 1.98
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2007-3599",
            "trust": 2.8
          },
          {
            "db": "OSVDB",
            "id": "45781",
            "trust": 1.7
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005818",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-108",
            "trust": 0.7
          },
          {
            "db": "BID",
            "id": "85628",
            "trust": 0.4
          },
          {
            "db": "VULHUB",
            "id": "VHN-26961",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-26961"
          },
          {
            "db": "BID",
            "id": "85628"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005818"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-108"
          },
          {
            "db": "NVD",
            "id": "CVE-2007-3599"
          }
        ]
      },
      "id": "VAR-200707-0374",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-26961"
          }
        ],
        "trust": 0.62916664
      },
      "last_update_date": "2025-04-10T23:25:04.454000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "2968",
            "trust": 0.8,
            "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2968"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005818"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "NVD-CWE-Other",
            "trust": 1.0
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2007-3599"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.0,
            "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
          },
          {
            "trust": 2.0,
            "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2968"
          },
          {
            "trust": 1.7,
            "url": "http://osvdb.org/45781"
          },
          {
            "trust": 0.8,
            "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-3599"
          },
          {
            "trust": 0.8,
            "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2007-3599"
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-26961"
          },
          {
            "db": "BID",
            "id": "85628"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005818"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-108"
          },
          {
            "db": "NVD",
            "id": "CVE-2007-3599"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULHUB",
            "id": "VHN-26961"
          },
          {
            "db": "BID",
            "id": "85628"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005818"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-108"
          },
          {
            "db": "NVD",
            "id": "CVE-2007-3599"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2007-07-06T00:00:00",
            "db": "VULHUB",
            "id": "VHN-26961"
          },
          {
            "date": "2007-07-06T00:00:00",
            "db": "BID",
            "id": "85628"
          },
          {
            "date": "2012-12-20T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2007-005818"
          },
          {
            "date": "2007-07-06T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-200707-108"
          },
          {
            "date": "2007-07-06T19:30:00",
            "db": "NVD",
            "id": "CVE-2007-3599"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2008-11-15T00:00:00",
            "db": "VULHUB",
            "id": "VHN-26961"
          },
          {
            "date": "2007-07-06T00:00:00",
            "db": "BID",
            "id": "85628"
          },
          {
            "date": "2012-12-20T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2007-005818"
          },
          {
            "date": "2007-07-12T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-200707-108"
          },
          {
            "date": "2025-04-09T00:30:58.490000",
            "db": "NVD",
            "id": "CVE-2007-3599"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-108"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "vtiger CRM Vulnerabilities such as importing contact information",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005818"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "unknown",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-108"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-200707-0375

    Vulnerability from variot - Updated: 2025-04-10 23:21

    WordPlugin in the wordintegration component in vtiger CRM before 5.0.3 allows remote authenticated users to bypass field level security permissions and merge arbitrary fields in an Email template, as demonstrated by the fields in the Contact module. vtiger CRM is prone to a remote security vulnerability

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-200707-0375",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "crm",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "5.0.2"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.9,
            "vendor": "vtiger",
            "version": "5.0.2"
          },
          {
            "model": "crm",
            "scope": "lt",
            "trust": 0.8,
            "vendor": "vtiger",
            "version": "5.0.3"
          }
        ],
        "sources": [
          {
            "db": "BID",
            "id": "85632"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005819"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-099"
          },
          {
            "db": "NVD",
            "id": "CVE-2007-3600"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "cpe_match": [
                  {
                    "cpe22Uri": "cpe:/a:vtiger:vtiger_crm",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005819"
          }
        ]
      },
      "credits": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/credits#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Unknown",
        "sources": [
          {
            "db": "BID",
            "id": "85632"
          }
        ],
        "trust": 0.3
      },
      "cve": "CVE-2007-3600",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "SINGLE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "NONE",
                "baseScore": 4.0,
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 8.0,
                "id": "CVE-2007-3600",
                "impactScore": 2.9,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 1.9,
                "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
                "version": "2.0"
              },
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "SINGLE",
                "author": "VULHUB",
                "availabilityImpact": "NONE",
                "baseScore": 4.0,
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 8.0,
                "id": "VHN-26962",
                "impactScore": 2.9,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 0.1,
                "vectorString": "AV:N/AC:L/AU:S/C:N/I:P/A:N",
                "version": "2.0"
              }
            ],
            "cvssV3": [],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2007-3600",
                "trust": 1.0,
                "value": "MEDIUM"
              },
              {
                "author": "NVD",
                "id": "CVE-2007-3600",
                "trust": 0.8,
                "value": "Medium"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-200707-099",
                "trust": 0.6,
                "value": "MEDIUM"
              },
              {
                "author": "VULHUB",
                "id": "VHN-26962",
                "trust": 0.1,
                "value": "MEDIUM"
              },
              {
                "author": "VULMON",
                "id": "CVE-2007-3600",
                "trust": 0.1,
                "value": "MEDIUM"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-26962"
          },
          {
            "db": "VULMON",
            "id": "CVE-2007-3600"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005819"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-099"
          },
          {
            "db": "NVD",
            "id": "CVE-2007-3600"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "WordPlugin in the wordintegration component in vtiger CRM before 5.0.3 allows remote authenticated users to bypass field level security permissions and merge arbitrary fields in an Email template, as demonstrated by the fields in the Contact module. vtiger CRM is prone to a remote security vulnerability",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2007-3600"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005819"
          },
          {
            "db": "BID",
            "id": "85632"
          },
          {
            "db": "VULHUB",
            "id": "VHN-26962"
          },
          {
            "db": "VULMON",
            "id": "CVE-2007-3600"
          }
        ],
        "trust": 2.07
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2007-3600",
            "trust": 2.9
          },
          {
            "db": "OSVDB",
            "id": "45784",
            "trust": 1.8
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005819",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-099",
            "trust": 0.6
          },
          {
            "db": "BID",
            "id": "85632",
            "trust": 0.5
          },
          {
            "db": "VULHUB",
            "id": "VHN-26962",
            "trust": 0.1
          },
          {
            "db": "VULMON",
            "id": "CVE-2007-3600",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-26962"
          },
          {
            "db": "VULMON",
            "id": "CVE-2007-3600"
          },
          {
            "db": "BID",
            "id": "85632"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005819"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-099"
          },
          {
            "db": "NVD",
            "id": "CVE-2007-3600"
          }
        ]
      },
      "id": "VAR-200707-0375",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-26962"
          }
        ],
        "trust": 0.62916664
      },
      "last_update_date": "2025-04-10T23:21:45.245000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "3790",
            "trust": 0.8,
            "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3790"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005819"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "NVD-CWE-Other",
            "trust": 1.0
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2007-3600"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.1,
            "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
          },
          {
            "trust": 2.1,
            "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3790"
          },
          {
            "trust": 2.1,
            "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/10845"
          },
          {
            "trust": 1.8,
            "url": "http://osvdb.org/45784"
          },
          {
            "trust": 0.8,
            "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-3600"
          },
          {
            "trust": 0.8,
            "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2007-3600"
          },
          {
            "trust": 0.1,
            "url": "https://cwe.mitre.org/data/definitions/.html"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov"
          },
          {
            "trust": 0.1,
            "url": "https://www.securityfocus.com/bid/85632"
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-26962"
          },
          {
            "db": "VULMON",
            "id": "CVE-2007-3600"
          },
          {
            "db": "BID",
            "id": "85632"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005819"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-099"
          },
          {
            "db": "NVD",
            "id": "CVE-2007-3600"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULHUB",
            "id": "VHN-26962"
          },
          {
            "db": "VULMON",
            "id": "CVE-2007-3600"
          },
          {
            "db": "BID",
            "id": "85632"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005819"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-099"
          },
          {
            "db": "NVD",
            "id": "CVE-2007-3600"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2007-07-06T00:00:00",
            "db": "VULHUB",
            "id": "VHN-26962"
          },
          {
            "date": "2007-07-06T00:00:00",
            "db": "VULMON",
            "id": "CVE-2007-3600"
          },
          {
            "date": "2007-07-06T00:00:00",
            "db": "BID",
            "id": "85632"
          },
          {
            "date": "2012-12-20T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2007-005819"
          },
          {
            "date": "2007-07-06T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-200707-099"
          },
          {
            "date": "2007-07-06T19:30:00",
            "db": "NVD",
            "id": "CVE-2007-3600"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2008-11-15T00:00:00",
            "db": "VULHUB",
            "id": "VHN-26962"
          },
          {
            "date": "2008-11-15T00:00:00",
            "db": "VULMON",
            "id": "CVE-2007-3600"
          },
          {
            "date": "2007-07-06T00:00:00",
            "db": "BID",
            "id": "85632"
          },
          {
            "date": "2012-12-20T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2007-005819"
          },
          {
            "date": "2007-07-12T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-200707-099"
          },
          {
            "date": "2025-04-09T00:30:58.490000",
            "db": "NVD",
            "id": "CVE-2007-3600"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-099"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "vtiger CRM of  wordintegration Vulnerabilities that prevent field-level security permissions in components",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005819"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "unknown",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-099"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-200707-0376

    Vulnerability from variot - Updated: 2025-04-10 23:21

    vtiger CRM before 5.0.3, when a migrated build is used, allows remote authenticated users to read certain other users' calendar activities via a (1) home page or (2) event list view. vtiger CRM is prone to a remote security vulnerability

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-200707-0376",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "crm",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "5.0.2"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.9,
            "vendor": "vtiger",
            "version": "5.0.2"
          },
          {
            "model": "crm",
            "scope": "lt",
            "trust": 0.8,
            "vendor": "vtiger",
            "version": "5.0.3"
          }
        ],
        "sources": [
          {
            "db": "BID",
            "id": "85627"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005820"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-103"
          },
          {
            "db": "NVD",
            "id": "CVE-2007-3601"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "cpe_match": [
                  {
                    "cpe22Uri": "cpe:/a:vtiger:vtiger_crm",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005820"
          }
        ]
      },
      "credits": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/credits#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Unknown",
        "sources": [
          {
            "db": "BID",
            "id": "85627"
          }
        ],
        "trust": 0.3
      },
      "cve": "CVE-2007-3601",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "HIGH",
                "accessVector": "NETWORK",
                "authentication": "SINGLE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "NONE",
                "baseScore": 2.1,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 3.9,
                "id": "CVE-2007-3601",
                "impactScore": 2.9,
                "integrityImpact": "NONE",
                "severity": "LOW",
                "trust": 1.8,
                "vectorString": "AV:N/AC:H/Au:S/C:P/I:N/A:N",
                "version": "2.0"
              },
              {
                "accessComplexity": "HIGH",
                "accessVector": "NETWORK",
                "authentication": "SINGLE",
                "author": "VULHUB",
                "availabilityImpact": "NONE",
                "baseScore": 2.1,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 3.9,
                "id": "VHN-26963",
                "impactScore": 2.9,
                "integrityImpact": "NONE",
                "severity": "LOW",
                "trust": 0.1,
                "vectorString": "AV:N/AC:H/AU:S/C:P/I:N/A:N",
                "version": "2.0"
              }
            ],
            "cvssV3": [],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2007-3601",
                "trust": 1.0,
                "value": "LOW"
              },
              {
                "author": "NVD",
                "id": "CVE-2007-3601",
                "trust": 0.8,
                "value": "Low"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-200707-103",
                "trust": 0.6,
                "value": "LOW"
              },
              {
                "author": "VULHUB",
                "id": "VHN-26963",
                "trust": 0.1,
                "value": "LOW"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-26963"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005820"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-103"
          },
          {
            "db": "NVD",
            "id": "CVE-2007-3601"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "vtiger CRM before 5.0.3, when a migrated build is used, allows remote authenticated users to read certain other users\u0027 calendar activities via a (1) home page or (2) event list view. vtiger CRM is prone to a remote security vulnerability",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2007-3601"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005820"
          },
          {
            "db": "BID",
            "id": "85627"
          },
          {
            "db": "VULHUB",
            "id": "VHN-26963"
          }
        ],
        "trust": 1.98
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2007-3601",
            "trust": 2.8
          },
          {
            "db": "OSVDB",
            "id": "45785",
            "trust": 1.7
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005820",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-103",
            "trust": 0.6
          },
          {
            "db": "BID",
            "id": "85627",
            "trust": 0.4
          },
          {
            "db": "VULHUB",
            "id": "VHN-26963",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-26963"
          },
          {
            "db": "BID",
            "id": "85627"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005820"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-103"
          },
          {
            "db": "NVD",
            "id": "CVE-2007-3601"
          }
        ]
      },
      "id": "VAR-200707-0376",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-26963"
          }
        ],
        "trust": 0.62916664
      },
      "last_update_date": "2025-04-10T23:21:00.291000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "3990",
            "trust": 0.8,
            "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3990"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005820"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "NVD-CWE-Other",
            "trust": 1.0
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2007-3601"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.0,
            "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
          },
          {
            "trust": 2.0,
            "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/3990"
          },
          {
            "trust": 1.7,
            "url": "http://osvdb.org/45785"
          },
          {
            "trust": 0.8,
            "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-3601"
          },
          {
            "trust": 0.8,
            "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2007-3601"
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-26963"
          },
          {
            "db": "BID",
            "id": "85627"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005820"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-103"
          },
          {
            "db": "NVD",
            "id": "CVE-2007-3601"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULHUB",
            "id": "VHN-26963"
          },
          {
            "db": "BID",
            "id": "85627"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005820"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-103"
          },
          {
            "db": "NVD",
            "id": "CVE-2007-3601"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2007-07-06T00:00:00",
            "db": "VULHUB",
            "id": "VHN-26963"
          },
          {
            "date": "2007-07-06T00:00:00",
            "db": "BID",
            "id": "85627"
          },
          {
            "date": "2012-12-20T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2007-005820"
          },
          {
            "date": "2007-07-06T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-200707-103"
          },
          {
            "date": "2007-07-06T19:30:00",
            "db": "NVD",
            "id": "CVE-2007-3601"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2008-11-15T00:00:00",
            "db": "VULHUB",
            "id": "VHN-26963"
          },
          {
            "date": "2007-07-06T00:00:00",
            "db": "BID",
            "id": "85627"
          },
          {
            "date": "2012-12-20T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2007-005820"
          },
          {
            "date": "2007-07-12T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-200707-103"
          },
          {
            "date": "2025-04-09T00:30:58.490000",
            "db": "NVD",
            "id": "CVE-2007-3601"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-103"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "vtiger CRM Vulnerability in reading calendar items of specific users",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005820"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "unknown",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-103"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-200707-0488

    Vulnerability from variot - Updated: 2025-04-10 23:19

    index.php in vtiger CRM before 5.0.3 allows remote authenticated users to perform administrative changes to arbitrary profile settings via a certain profilePrivileges action in the Users module. vtiger CRM is prone to a denial-of-service vulnerability

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-200707-0488",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "crm",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "5.0.2"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.9,
            "vendor": "vtiger",
            "version": "5.0.2"
          },
          {
            "model": "crm",
            "scope": "lt",
            "trust": 0.8,
            "vendor": "vtiger",
            "version": "5.0.3"
          }
        ],
        "sources": [
          {
            "db": "BID",
            "id": "85611"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2006-003710"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-116"
          },
          {
            "db": "NVD",
            "id": "CVE-2007-3616"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "cpe_match": [
                  {
                    "cpe22Uri": "cpe:/a:vtiger:vtiger_crm",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2006-003710"
          }
        ]
      },
      "credits": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/credits#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Unknown",
        "sources": [
          {
            "db": "BID",
            "id": "85611"
          }
        ],
        "trust": 0.3
      },
      "cve": "CVE-2007-3616",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "SINGLE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "PARTIAL",
                "baseScore": 6.5,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 8.0,
                "id": "CVE-2007-3616",
                "impactScore": 6.4,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 1.8,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
                "version": "2.0"
              },
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "SINGLE",
                "author": "VULHUB",
                "availabilityImpact": "PARTIAL",
                "baseScore": 6.5,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 8.0,
                "id": "VHN-26978",
                "impactScore": 6.4,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 0.1,
                "vectorString": "AV:N/AC:L/AU:S/C:P/I:P/A:P",
                "version": "2.0"
              }
            ],
            "cvssV3": [],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2007-3616",
                "trust": 1.0,
                "value": "MEDIUM"
              },
              {
                "author": "NVD",
                "id": "CVE-2007-3616",
                "trust": 0.8,
                "value": "Medium"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-200707-116",
                "trust": 0.6,
                "value": "MEDIUM"
              },
              {
                "author": "VULHUB",
                "id": "VHN-26978",
                "trust": 0.1,
                "value": "MEDIUM"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-26978"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2006-003710"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-116"
          },
          {
            "db": "NVD",
            "id": "CVE-2007-3616"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "index.php in vtiger CRM before 5.0.3 allows remote authenticated users to perform administrative changes to arbitrary profile settings via a certain profilePrivileges action in the Users module. vtiger CRM is prone to a denial-of-service vulnerability",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2007-3616"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2006-003710"
          },
          {
            "db": "BID",
            "id": "85611"
          },
          {
            "db": "VULHUB",
            "id": "VHN-26978"
          }
        ],
        "trust": 1.98
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2007-3616",
            "trust": 2.8
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2006-003710",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-116",
            "trust": 0.7
          },
          {
            "db": "BID",
            "id": "85611",
            "trust": 0.4
          },
          {
            "db": "VULHUB",
            "id": "VHN-26978",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-26978"
          },
          {
            "db": "BID",
            "id": "85611"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2006-003710"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-116"
          },
          {
            "db": "NVD",
            "id": "CVE-2007-3616"
          }
        ]
      },
      "id": "VAR-200707-0488",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-26978"
          }
        ],
        "trust": 0.62916664
      },
      "last_update_date": "2025-04-10T23:19:07.291000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "2237",
            "trust": 0.8,
            "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2237"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2006-003710"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "NVD-CWE-Other",
            "trust": 1.0
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2007-3616"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.0,
            "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
          },
          {
            "trust": 2.0,
            "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2237"
          },
          {
            "trust": 0.8,
            "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-3616"
          },
          {
            "trust": 0.8,
            "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2007-3616"
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-26978"
          },
          {
            "db": "BID",
            "id": "85611"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2006-003710"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-116"
          },
          {
            "db": "NVD",
            "id": "CVE-2007-3616"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULHUB",
            "id": "VHN-26978"
          },
          {
            "db": "BID",
            "id": "85611"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2006-003710"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-116"
          },
          {
            "db": "NVD",
            "id": "CVE-2007-3616"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2007-07-06T00:00:00",
            "db": "VULHUB",
            "id": "VHN-26978"
          },
          {
            "date": "2007-07-06T00:00:00",
            "db": "BID",
            "id": "85611"
          },
          {
            "date": "2012-12-20T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2006-003710"
          },
          {
            "date": "2007-07-06T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-200707-116"
          },
          {
            "date": "2007-07-06T19:30:00",
            "db": "NVD",
            "id": "CVE-2007-3616"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2008-09-05T00:00:00",
            "db": "VULHUB",
            "id": "VHN-26978"
          },
          {
            "date": "2007-07-06T00:00:00",
            "db": "BID",
            "id": "85611"
          },
          {
            "date": "2012-12-20T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2006-003710"
          },
          {
            "date": "2007-07-10T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-200707-116"
          },
          {
            "date": "2025-04-09T00:30:58.490000",
            "db": "NVD",
            "id": "CVE-2007-3616"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-116"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "vtiger CRM of  index.php Vulnerable to management changes",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2006-003710"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "unknown",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-116"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-200707-0373

    Vulnerability from variot - Updated: 2025-04-10 23:18

    index.php in vtiger CRM before 5.0.3 allows remote authenticated users to obtain all users' names and e-mail addresses, and possibly change user settings, via a modified record parameter in a DetailView action to the Users module. NOTE: the vendor disputes the changing of settings, reporting that the attack vector results in a "You are not permitted to execute this Operation" error message in a 5.0.3 demo. vtiger CRM is prone to a denial-of-service vulnerability

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-200707-0373",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "crm",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "vtiger",
            "version": "5.0.2"
          },
          {
            "model": "crm",
            "scope": "eq",
            "trust": 0.9,
            "vendor": "vtiger",
            "version": "5.0.2"
          },
          {
            "model": "crm",
            "scope": "lt",
            "trust": 0.8,
            "vendor": "vtiger",
            "version": "5.0.3"
          }
        ],
        "sources": [
          {
            "db": "BID",
            "id": "85646"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005817"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-098"
          },
          {
            "db": "NVD",
            "id": "CVE-2007-3598"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "cpe_match": [
                  {
                    "cpe22Uri": "cpe:/a:vtiger:vtiger_crm",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005817"
          }
        ]
      },
      "credits": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/credits#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Unknown",
        "sources": [
          {
            "db": "BID",
            "id": "85646"
          }
        ],
        "trust": 0.3
      },
      "cve": "CVE-2007-3598",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "SINGLE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "NONE",
                "baseScore": 5.5,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 8.0,
                "id": "CVE-2007-3598",
                "impactScore": 4.9,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 1.8,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
                "version": "2.0"
              },
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "SINGLE",
                "author": "VULHUB",
                "availabilityImpact": "NONE",
                "baseScore": 5.5,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 8.0,
                "id": "VHN-26960",
                "impactScore": 4.9,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 0.1,
                "vectorString": "AV:N/AC:L/AU:S/C:P/I:P/A:N",
                "version": "2.0"
              }
            ],
            "cvssV3": [],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2007-3598",
                "trust": 1.0,
                "value": "MEDIUM"
              },
              {
                "author": "NVD",
                "id": "CVE-2007-3598",
                "trust": 0.8,
                "value": "Medium"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-200707-098",
                "trust": 0.6,
                "value": "MEDIUM"
              },
              {
                "author": "VULHUB",
                "id": "VHN-26960",
                "trust": 0.1,
                "value": "MEDIUM"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-26960"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005817"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-098"
          },
          {
            "db": "NVD",
            "id": "CVE-2007-3598"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "index.php in vtiger CRM before 5.0.3 allows remote authenticated users to obtain all users\u0027 names and e-mail addresses, and possibly change user settings, via a modified record parameter in a DetailView action to the Users module.  NOTE: the vendor disputes the changing of settings, reporting that the attack vector results in a \"You are not permitted to execute this Operation\" error message in a 5.0.3 demo. vtiger CRM is prone to a denial-of-service vulnerability",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2007-3598"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005817"
          },
          {
            "db": "BID",
            "id": "85646"
          },
          {
            "db": "VULHUB",
            "id": "VHN-26960"
          }
        ],
        "trust": 1.98
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2007-3598",
            "trust": 2.8
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005817",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-098",
            "trust": 0.6
          },
          {
            "db": "BID",
            "id": "85646",
            "trust": 0.4
          },
          {
            "db": "VULHUB",
            "id": "VHN-26960",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-26960"
          },
          {
            "db": "BID",
            "id": "85646"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005817"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-098"
          },
          {
            "db": "NVD",
            "id": "CVE-2007-3598"
          }
        ]
      },
      "id": "VAR-200707-0373",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-26960"
          }
        ],
        "trust": 0.62916664
      },
      "last_update_date": "2025-04-10T23:18:09.086000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "2985",
            "trust": 0.8,
            "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2985"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005817"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "NVD-CWE-Other",
            "trust": 1.0
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2007-3598"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.0,
            "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"
          },
          {
            "trust": 2.0,
            "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2664"
          },
          {
            "trust": 2.0,
            "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2985"
          },
          {
            "trust": 2.0,
            "url": "http://forums.vtiger.com/viewtopic.php?p=38609"
          },
          {
            "trust": 0.8,
            "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-3598"
          },
          {
            "trust": 0.8,
            "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2007-3598"
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-26960"
          },
          {
            "db": "BID",
            "id": "85646"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005817"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-098"
          },
          {
            "db": "NVD",
            "id": "CVE-2007-3598"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULHUB",
            "id": "VHN-26960"
          },
          {
            "db": "BID",
            "id": "85646"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005817"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-098"
          },
          {
            "db": "NVD",
            "id": "CVE-2007-3598"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2007-07-06T00:00:00",
            "db": "VULHUB",
            "id": "VHN-26960"
          },
          {
            "date": "2007-07-06T00:00:00",
            "db": "BID",
            "id": "85646"
          },
          {
            "date": "2012-12-20T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2007-005817"
          },
          {
            "date": "2007-07-06T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-200707-098"
          },
          {
            "date": "2007-07-06T19:30:00",
            "db": "NVD",
            "id": "CVE-2007-3598"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2008-09-05T00:00:00",
            "db": "VULHUB",
            "id": "VHN-26960"
          },
          {
            "date": "2007-07-06T00:00:00",
            "db": "BID",
            "id": "85646"
          },
          {
            "date": "2012-12-20T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2007-005817"
          },
          {
            "date": "2007-07-12T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-200707-098"
          },
          {
            "date": "2025-04-09T00:30:58.490000",
            "db": "NVD",
            "id": "CVE-2007-3598"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-098"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "index.php of  vtiger CRM Vulnerabilities in which all user names are acquired",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2007-005817"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "unknown",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-200707-098"
          }
        ],
        "trust": 0.6
      }
    }