The uploads module in vTiger CRM 4.2 and previous versions allows remote malicious users to upload arbitrary files, such as PHP files, via the add2db action.
vtiger vtiger crm