The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Vtiger CRM

computer vulnerability CVE-2019-11057

Vtiger CRM: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Vtiger CRM.
Impacted products: Vtiger CRM.
Severity: 2/4.
Consequences: data reading, data creation/edition, data deletion.
Provenance: user account.
Creation date: 03/04/2019.
Identifiers: CVE-2019-11057, VIGILANCE-VUL-28935.

Description of the vulnerability

An attacker can use several vulnerabilities of Vtiger CRM.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2016-4834

Vtiger CRM: privilege escalation

Synthesis of the vulnerability

An attacker can bypass restrictions of Vtiger CRM, in order to escalate his privileges.
Impacted products: Vtiger CRM.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user account.
Creation date: 20/07/2016.
Identifiers: CVE-2016-4834, JVN#01956993, VIGILANCE-VUL-20177.

Description of the vulnerability

An attacker can bypass restrictions of Vtiger CRM, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note 19069

Vtiger CRM: file upload

Synthesis of the vulnerability

An attacker can upload a malicious file on Vtiger CRM, in order for example to upload a Trojan.
Impacted products: Vtiger CRM.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights.
Provenance: internet client.
Creation date: 02/03/2016.
Identifiers: VIGILANCE-VUL-19069.

Description of the vulnerability

The Vtiger CRM product offers a web service.

It can be used to upload a file. However, as the file type is not restricted, a PHP file can be uploaded on the server, and then executed.

An attacker can therefore upload a malicious file on Vtiger CRM, in order for example to upload a Trojan.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2016-1713

Vtiger CRM: file upload via saveLogo

Synthesis of the vulnerability

An authenticated attacker can upload a malicious file on Vtiger CRM, in order for example to upload a Trojan.
Impacted products: Vtiger CRM.
Severity: 2/4.
Consequences: user access/rights, data creation/edition.
Provenance: user account.
Creation date: 12/01/2016.
Identifiers: CVE-2016-1713, VIGILANCE-VUL-18692.

Description of the vulnerability

The Vtiger CRM product offers a web service.

It can be used by an authenticated user to upload a file containing the company logo. However, as the file type is not correctly restricted, a PHP file can be uploaded on the server, and then executed.

An authenticated attacker can therefore upload a malicious file on Vtiger CRM, in order for example to upload a Trojan.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2015-6000

Vtiger CRM: file upload via saveLogo

Synthesis of the vulnerability

An authenticated attacker can upload a malicious file on Vtiger CRM, in order for example to upload a Trojan.
Impacted products: Vtiger CRM.
Severity: 2/4.
Consequences: privileged access/rights, user access/rights.
Provenance: user account.
Creation date: 29/09/2015.
Identifiers: CVE-2015-6000, VIGILANCE-VUL-17995.

Description of the vulnerability

The Vtiger CRM product offers a web service.

It can be used by an authenticated user to upload a file containing the company logo. However, as the file type is not restricted, a PHP file can be uploaded on the server, and then executed.

An authenticated attacker can therefore upload a malicious file on Vtiger CRM, in order for example to upload a Trojan.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability 15355

Vtiger CRM: Cross Site Request Forgery

Synthesis of the vulnerability

An attacker can trigger a Cross Site Request Forgery of Vtiger CRM, in order to force the victim to perform operations.
Impacted products: Vtiger CRM.
Severity: 2/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 16/09/2014.
Identifiers: VIGILANCE-VUL-15355.

Description of the vulnerability

The Vtiger CRM product offers a web service.

However, the origin of queries is not checked. They can for example originate from an image included in an HTML document.

An attacker can therefore trigger a Cross Site Request Forgery of Vtiger CRM, in order to force the victim to perform operations.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2014-2268 CVE-2014-2269

Vtiger CRM: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Vtiger CRM.
Impacted products: Vtiger CRM.
Severity: 3/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 14/03/2014.
Revision date: 09/04/2014.
Identifiers: CVE-2014-2268, CVE-2014-2269, VIGILANCE-VUL-14426.

Description of the vulnerability

Several vulnerabilities were announced in Vtiger CRM.

A remote attacker can reinstall the software. [severity:3/4; CVE-2014-2268]

A remote attacker can change the password of a user, in order to escalate his privileges. [severity:3/4; CVE-2014-2269]
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2014-1222

Vtiger CRM: directory traversal via kcfinder

Synthesis of the vulnerability

An authenticated attacker can traverse directories in kcfinder of Vtiger CRM, in order to read a file outside the service root path.
Impacted products: Vtiger CRM.
Severity: 2/4.
Consequences: data reading.
Provenance: user account.
Creation date: 12/03/2014.
Identifiers: CVE-2014-1222, VIGILANCE-VUL-14410.

Description of the vulnerability

The Vtiger CRM product offers a web service.

However, user's data are directly inserted in an access path by /kcfinder/browse.php. Sequences such as "/.." can thus be used to go in the upper directory.

An authenticated attacker can therefore traverse directories in kcfinder of Vtiger CRM, in order to read a file outside the service root path.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2013-7326

Vtiger CRM: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Vtiger CRM, in order to execute JavaScript code in the context of the web site.
Impacted products: Vtiger CRM.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 12/12/2013.
Identifiers: BID-64236, CVE-2013-7326, SOJOBO-ADV-13-05, VIGILANCE-VUL-13940.

Description of the vulnerability

The Vtiger CRM product uses the following pages: savetemplate.php, deletetask.php, edittask.php, savetask.php and saveworkflow.php.

However, they do not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Vtiger CRM, in order to execute JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2013-3591

vtiger CRM: PHP code execution

Synthesis of the vulnerability

An authenticated attacker can upload a file on vtiger CRM, in order to execute PHP code.
Impacted products: Vtiger CRM.
Severity: 2/4.
Consequences: user access/rights.
Provenance: user account.
Creation date: 31/10/2013.
Identifiers: BID-63454, CVE-2013-3591, VIGILANCE-VUL-13676.

Description of the vulnerability

The vtiger CRM product allows authenticated users to upload images.

However, an attacker can upload a file with the ".php3" extension. He can then access to this file, which is interpreted as a PHP language file.

An authenticated attacker can therefore upload a file on vtiger CRM, in order to execute PHP code.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Vtiger CRM: