Skip to main content

Vtiger Crm CVE-2024-42995

HIGH
Improper Privilege Management (CWE-269)
2024-08-16 cve@mitre.org
8.3
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
8.3 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H

Primary rating from Vendor (mitre) · only source for this CVE.

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Aug 16, 2024 - 17:15 cve.org
HIGH 8.3

DescriptionCVE.org

VTiger CRM <= 8.1.0 does not correctly check user privileges. A low-privileged user can interact directly with the "Migration" administrative module to disable arbitrary modules.

AnalysisAI

VTiger CRM <= 8.1.0 does not correctly check user privileges. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Improper Privilege Management (CWE-269), which allows attackers to escalate privileges to gain unauthorized elevated access. VTiger CRM <= 8.1.0 does not correctly check user privileges. A low-privileged user can interact directly with the "Migration" administrative module to disable arbitrary modules. Affected products include: Vtiger Vtiger Crm.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply principle of least privilege, validate privilege transitions, implement proper role separation.

CVE-2014-2268 MEDIUM POC
5.0 Nov 16

views/Index.php in the Install module in vTiger 6.0 before Security Patch 2 does not properly restrict access, which all

CVE-2016-1713 HIGH POC
7.3 Apr 14

Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger

CVE-2026-23697 HIGH POC
8.7 Jul 07

Remote code execution in Vtiger CRM before 8.4.0 lets an authenticated low-privileged user upload a malicious .phar file

CVE-2019-19202 HIGH POC
8.8 Nov 21

In Vtiger 7.x before 7.2.0, the My Preferences saving functionality allows a user without administrative privileges to c

CVE-2019-11057 HIGH POC
8.8 May 17

SQL injection vulnerability in Vtiger CRM before 7.1.0 hotfix3 allows authenticated users to execute arbitrary SQL comma

CVE-2026-23698 HIGH POC
8.6 Jul 07

Authenticated remote code execution in Vtiger CRM through version 8.4.0 lets an administrator upload a crafted ZIP archi

CVE-2013-3213 HIGH POC
7.5 Apr 02

Multiple SQL injection vulnerabilities in vTiger CRM 5.0.0 through 5.4.0 allow remote attackers to execute arbitrary SQL

CVE-2024-42994 HIGH POC
7.2 Aug 16

VTiger CRM <= 8.1.0 does not properly sanitize user input before using it in a SQL statement, leading to a SQL Injection

CVE-2019-5009 HIGH POC
7.2 Jan 04

Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension "php3" in the logo upload field, if the upload

CVE-2014-2269 MEDIUM POC
6.4 Apr 22

modules/Users/ForgotPassword.php in vTiger 6.0 before Security Patch 2 allows remote attackers to reset the password for

CVE-2012-4867 MEDIUM POC
5.0 Sep 06

Directory traversal vulnerability in modules/com_vtiger_workflow/sortfieldsjson.php in vtiger CRM 5.1.0 allows remote at

CVE-2013-5091 MEDIUM POC
6.5 Oct 04

SQL injection vulnerability in CalendarCommon.php in vTiger CRM 5.4.0 and possibly earlier allows remote authenticated u

Share

CVE-2024-42995 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy