Multiple SQL injection vulnerabilities in vTiger CRM 5.0.0 up to and including 5.4.0 allow remote malicious users to execute arbitrary SQL commands via the (1) picklist_name parameter in the get_picklists method to soap/customerportal.php, (2) where parameter in the get_tickets_list method to soap/customerportal.php, or (3) emailaddress parameter in the SearchContactsByEmail method to soap/vtigerolservice.php; or remote authenticated users to execute arbitrary SQL commands via the (4) emailaddress parameter in the SearchContactsByEmail method to soap/thunderbirdplugin.php.
| Vulnerable Product | Search on Vulmon | Subscribe to Product |
|---|---|---|
vtiger vtiger crm 5.0.0 |
||
vtiger vtiger crm 5.4.0 |
||
vtiger vtiger crm 5.0.4 |
||
vtiger vtiger crm 5.0.1 |
||
vtiger vtiger crm 5.2.0 |
||
vtiger vtiger crm 5.1.0 |
||
vtiger vtiger crm 5.0.3 |
||
vtiger vtiger crm 5.3.0 |
||
vtiger vtiger crm 5.2.1 |
||
vtiger vtiger crm 5.0.2 |
Vulmon