Product
vtiger crm
72 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2025-45753
CVE-2025-45755
CVE-2025-1618
CVE-2024-54687
CVE-2024-48119
CVE-2024-44779
CVE-2024-44778
CVE-2024-44777
CVE-2024-44776
CVE-2024-42995
CVE-2024-42994
CVE-2023-46304
CVE-2023-38891
CVE-2022-38335
CVE-2020-22807
CVE-2020-19363
CVE-2020-19362
CVE-2013-3591
CVE-2015-6000
CVE-2013-3215
CVE-2013-3214
CVE-2013-3212
CVE-2019-19202
CVE-2018-8047
CVE-2016-10754
CVE-2019-11057
CVE-2019-5009
CVE-2016-1713
CVE-2016-4834
CVE-2014-2268
CVE-2014-1222
CVE-2014-2269
CVE-2013-3213
CVE-2013-7326
CVE-2013-5091
CVE-2012-4867
CVE-2011-4680
CVE-2011-4679
CVE-2011-4670
CVE-2011-4559
CVE-2010-3911
CVE-2010-3910
CVE-2010-3909
CVE-2009-3258
CVE-2009-3257
CVE-2009-3251
CVE-2009-3250
CVE-2009-3249
CVE-2009-3248
CVE-2009-3247
CVE-2008-3101
CVE-2008-3458
CVE-2007-3617
CVE-2007-3616
CVE-2007-3604
CVE-2007-3603
CVE-2007-3602
CVE-2007-3601
CVE-2007-3600
CVE-2007-3599
CVE-2007-3598
CVE-2006-5289
CVE-2006-4617
CVE-2006-4588
CVE-2006-4587
CVE-2005-3824
CVE-2005-3823
CVE-2005-3822
CVE-2005-3821
CVE-2005-3820
CVE-2005-3819
CVE-2005-3818
all versions
A vulnerability in Vtiger CRM Open Source Edition v8.3.0 allows an attacker with admin privileges to execute arbitrary PHP code by
all versions
A Stored Cross-Site Scripting (XSS) vulnerability exists in Vtiger CRM Open Source Edition v8.3.0, exploitable via the Services Im
>= 6.4.0 and < 7.0
A vulnerability has been found in vTiger CRM 6.4.0/6.5.0 and classified as problematic. This vulnerability affects unknown code of
<= 6.1
Vtiger CRM v.6.1 and before is vulnerable to Cross Site Scripting (XSS) via the Documents module and function uploadAndSaveFile in
all versions
Vtiger CRM v8.2.0 has a HTML Injection vulnerability in the module parameter. Authenticated users can inject arbitrary HTML.
all versions
A reflected cross-site scripting (XSS) vulnerability in the viewname parameter in the index page of vTiger CRM 7.4.0 allows attack
all versions
A reflected cross-site scripting (XSS) vulnerability in the parent parameter in the index page of vTiger CRM 7.4.0 allows attacker
all versions
A reflected cross-site scripting (XSS) vulnerability in the tag parameter in the index page of vTiger CRM 7.4.0 allows attackers t
all versions
An Open Redirect vulnerability in the page parameter of vTiger CRM v7.4.0 allows attackers to redirect users to a malicious site v
<= 8.1.0
VTiger CRM <= 8.1.0 does not correctly check user privileges. A low-privileged user can interact directly with the "Migration" adm
<= 8.1.0
VTiger CRM <= 8.1.0 does not properly sanitize user input before using it in a SQL statement, leading to a SQL Injection in the "C
all versions
modules/Users/models/Module.php in Vtiger CRM 7.5.0 allows a remote authenticated attacker to run arbitrary PHP code because an un
all versions
SQL injection vulnerability in Vtiger CRM v.7.5.0 allows a remote authenticated attacker to escalate privileges via the getQueryCo
<= 7.4.0
Vtiger CRM v7.4.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the e-mail template modules.
all versions
An issue was dicovered in vtiger crm 7.2. Union sql injection in the calendar exportdata feature.
all versions
Vtiger CRM v7.2.0 allows an attacker to display hidden files, list directories by using /libraries and /layout directories.
all versions
Reflected XSS in Vtiger CRM v7.2.0 in vtigercrm/index.php? through the view parameter can result in an attacker performing malicio
all versions
vTiger CRM 5.3 and 5.4: 'files' Upload Folder Arbitrary PHP Code Execution Vulnerability
<= 6.3.0
Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/C
>= 5.1.0 and <= 5.4.0
vtiger CRM 5.4.0 and earlier contain an Authentication Bypass Vulnerability due to improper authentication validation in the valid
<= 5.4.0
vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in 'vtigerolservice.php'.
<= 5.4.0
vtiger CRM 5.4.0 and earlier contain local file-include vulnerabilities in 'customerportal.php' which allows remote attackers to v
>= 7.0 and < 7.2.0
In Vtiger 7.x before 7.2.0, the My Preferences saving functionality allows a user without administrative privileges to change his
<= 7.0.1
vtiger CRM 7.0.1 is affected by one reflected Cross-Site Scripting (XSS) vulnerability affecting version 7.0.1 and probably prior
all versions
modules/Calendar/Activity.php in Vtiger CRM 6.5.0 allows SQL injection via the contactidlist parameter.
<= 7.0.1
SQL injection vulnerability in Vtiger CRM before 7.1.0 hotfix3 allows authenticated users to execute arbitrary SQL commands.
<= 7.1.0
Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension "php3" in the logo upload field, if the uploaded file is
all versions
Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/C
<= 6.4.0
modules/Users/actions/Save.php in Vtiger CRM 6.4.0 and earlier does not properly restrict user-save actions, which allows remote a
all versions
views/Index.php in the Install module in vTiger 6.0 before Security Patch 2 does not properly restrict access, which allows remote
<= 6.0.0
Directory traversal vulnerability in kcfinder/browse.php in Vtiger CRM before 6.0.0 Security patch 1 allows remote authenticated u
all versions
modules/Users/ForgotPassword.php in vTiger 6.0 before Security Patch 2 allows remote attackers to reset the password for arbitrary
all versions
Multiple SQL injection vulnerabilities in vTiger CRM 5.0.0 through 5.4.0 allow remote attackers to execute arbitrary SQL commands
all versions
Cross-site scripting (XSS) vulnerability in vTiger CRM 5.4.0 allows remote attackers to inject arbitrary web script or HTML via th
<= 5.4.0
SQL injection vulnerability in CalendarCommon.php in vTiger CRM 5.4.0 and possibly earlier allows remote authenticated users to ex
all versions
Directory traversal vulnerability in modules/com_vtiger_workflow/sortfieldsjson.php in vtiger CRM 5.1.0 allows remote attackers to
<= 5.1.0
Multiple cross-site scripting (XSS) vulnerabilities in the customer portal in vtiger CRM before 5.2.0 allow remote attackers to in
< 5.3.0
vtiger CRM before 5.3.0 does not properly recognize the disabled status of a field in the Leads module, which allows remote authen
<= 5.2.1
Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 5.2.1 and earlier allow remote attackers to inject arbitrary web
<= 5.2.1
SQL injection vulnerability in the Calendar module in vTiger CRM 5.2.1 and earlier allows remote attackers to execute arbitrary SQ
<= 5.2.0
Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM before 5.2.1 allow remote attackers to inject arbitrary web scri
<= 5.2.0
Multiple directory traversal vulnerabilities in the return_application_language function in include/utils/utils.php in vtiger CRM
all versions
Incomplete blacklist vulnerability in config.template.php in vtiger CRM before 5.2.1 allows remote authenticated users to execute
all versions
vtiger CRM before 5.1.0 allows remote authenticated users, with certain View privileges, to delete (1) attachments, (2) reports, (
< 5.1.0
vtiger CRM before 5.1.0 allows remote authenticated users to bypass the permissions on the (1) Account Billing Address and (2) Shi
<= 5.1.0
include/utils/ListViewUtils.php in vtiger CRM before 5.1.0 allows remote authenticated users to bypass intended access restriction
all versions
The saveForwardAttachments procedure in the Compose Mail functionality in vtiger CRM 5.0.4 allows remote authenticated users to ex
all versions
Multiple directory traversal vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to include and execute arbitrary local fil
all versions
Cross-site request forgery (CSRF) vulnerability in the RSS module in vtiger CRM 5.0.4 allows remote attackers to hijack the authen
all versions
Cross-site scripting (XSS) vulnerability in the Activities module in vtiger CRM 5.0.4 allows remote attackers to inject arbitrary
all versions
Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to inject arbitrary web script or H
<= 5.0.3
Vtiger CRM before 5.0.4 stores sensitive information under the web root with insufficient access control, which allows remote atta
<= 5.0.2
The report module in vtiger CRM before 5.0.3 does not properly apply security rules, which allows remote authenticated users to re
<= 5.0.2
index.php in vtiger CRM before 5.0.3 allows remote authenticated users to perform administrative changes to arbitrary profile sett
<= 5.0.2
vtiger CRM before 5.0.3 allows remote authenticated users with access to the Analytics DashBoard menu to bypass data restrictions
<= 5.0.2
SQL injection vulnerability in the dashboard (include/utils/SearchUtils.php) in vtiger CRM before 5.0.3 allows remote authenticate
<= 5.0.2
The SOAP webservice in vtiger CRM before 5.0.3 does not ensure that authenticated accounts are active, which allows remote authent
<= 5.0.2
vtiger CRM before 5.0.3, when a migrated build is used, allows remote authenticated users to read certain other users' calendar ac
<= 5.0.2
WordPlugin in the wordintegration component in vtiger CRM before 5.0.3 allows remote authenticated users to bypass field level sec
<= 5.0.2
vtiger CRM before 5.0.3 allows remote authenticated users to import and export the information for a contact even when they only h
<= 5.0.2
index.php in vtiger CRM before 5.0.3 allows remote authenticated users to obtain all users' names and e-mail addresses, and possib
all versions
Multiple PHP remote file inclusion vulnerabilities in Vtiger CRM 4.2 and earlier allow remote attackers to execute arbitrary PHP c
<= 4.2.4
Unrestricted file upload vulnerability in fileupload.html in vtiger CRM 4.2.4, and possibly earlier versions, allows remote attack
all versions
vtiger CRM 4.2.4, and possibly earlier, allows remote attackers to bypass authentication and access administrative modules via a d
all versions
Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM 4.2.4, and possibly earlier, allow remote attackers to inject ar
<= 4.2
The uploads module in vTiger CRM 4.2 and earlier allows remote attackers to upload arbitrary files, such as PHP files, via the add
<= 4.2
The Users module in vTiger CRM 4.2 and earlier allows remote attackers to execute arbitrary PHP code via an arbitrary file in the
<= 4.2
Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to execute arbitrary SQL commands via
<= 4.2
Cross-site scripting (XSS) vulnerability in vTiger CRM 4.2 and earlier allows remote attackers to inject arbitrary web script or H
<= 4.2
Multiple directory traversal vulnerabilities in index.php in vTiger CRM 4.2 and earlier allow remote attackers to read or include
<= 4.2
Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary SQL commands and b
<= 4.2
Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary web s