Skip to main content

Vtiger Crm CVE-2024-44779

CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2024-08-29 cve@mitre.org
9.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Aug 29, 2024 - 18:15 nvd
CRITICAL 9.6

DescriptionNVD

A reflected cross-site scripting (XSS) vulnerability in the viewname parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.

AnalysisAI

A reflected cross-site scripting (XSS) vulnerability in the viewname parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. A reflected cross-site scripting (XSS) vulnerability in the viewname parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload. Affected products include: Vtiger Vtiger Crm.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2014-2268 MEDIUM POC
5.0 Nov 16

views/Index.php in the Install module in vTiger 6.0 before Security Patch 2 does not properly restrict access, which all

CVE-2016-1713 HIGH POC
7.3 Apr 14

Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger

CVE-2026-23697 HIGH POC
8.7 Jul 07

Remote code execution in Vtiger CRM before 8.4.0 lets an authenticated low-privileged user upload a malicious .phar file

CVE-2019-19202 HIGH POC
8.8 Nov 21

In Vtiger 7.x before 7.2.0, the My Preferences saving functionality allows a user without administrative privileges to c

CVE-2019-11057 HIGH POC
8.8 May 17

SQL injection vulnerability in Vtiger CRM before 7.1.0 hotfix3 allows authenticated users to execute arbitrary SQL comma

CVE-2026-23698 HIGH POC
8.6 Jul 07

Authenticated remote code execution in Vtiger CRM through version 8.4.0 lets an administrator upload a crafted ZIP archi

CVE-2024-42995 HIGH POC
8.3 Aug 16

VTiger CRM <= 8.1.0 does not correctly check user privileges. Rated high severity (CVSS 8.3), this vulnerability is remo

CVE-2013-3213 HIGH POC
7.5 Apr 02

Multiple SQL injection vulnerabilities in vTiger CRM 5.0.0 through 5.4.0 allow remote attackers to execute arbitrary SQL

CVE-2024-42994 HIGH POC
7.2 Aug 16

VTiger CRM <= 8.1.0 does not properly sanitize user input before using it in a SQL statement, leading to a SQL Injection

CVE-2019-5009 HIGH POC
7.2 Jan 04

Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension "php3" in the logo upload field, if the upload

CVE-2014-2269 MEDIUM POC
6.4 Apr 22

modules/Users/ForgotPassword.php in vTiger 6.0 before Security Patch 2 allows remote attackers to reset the password for

CVE-2012-4867 MEDIUM POC
5.0 Sep 06

Directory traversal vulnerability in modules/com_vtiger_workflow/sortfieldsjson.php in vtiger CRM 5.1.0 allows remote at

Share

CVE-2024-44779 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy