SQL Injection in Vtiger Vtiger_crm
CVE-2011-4559
SQL injection vulnerability in the Calendar module in vTiger CRM 5.2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php.
Vulnerability class: SQL Injection
EPSS: 0.010 (77.4th percentile) — read the EPSS interpretation.
Affected products
- Vtiger Vtiger_crm — versions 1.0, 2.0, 2.0.1
- N/a — versions n/a
Weakness classification (CWE)
References
- 20111005 vTiger CRM 5.2.x <= Blind SQL Injection Vulnerability (mailing-list, x_refsource_BUGTRAQ)
- 20111005 vTiger CRM 5.2.x <= Blind SQL Injection Vulnerability (mailing-list, Exploit, x_refsource_FULLDISC)
- 49948 (Exploit, vdb-entry, x_refsource_BID)
- cve@mitre.org (Exploit, x_refsource_MISC)
- 76138 (x_refsource_OSVDB, vdb-entry)
- vtigercrm-index-sql-injection(70344) (vdb-entry, x_refsource_XF)