CVE-2010-3911

Vtiger Crm < 5.2.0 - XSS

Title source: rule

Description

Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM before 5.2.1 allow remote attackers to inject arbitrary web script or HTML via (1) the username (aka default_user_name) field or (2) the password field in a Users Login action to index.php, or (3) the label parameter in a Settings GetFieldInfo action to index.php, related to modules/Settings/GetFieldInfo.php.

References (5)

[Vendor Advisory] http://secunia.com/advisories/42246

[Various Sources] http://vtiger.com/blogs/2010/11/16/vtiger-crm-521-is-released/

[Various Sources] http://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt

[Third Party Advisory] http://wiki.vtiger.com/index.php/Vtiger521:Release_Notes

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/514846/100/0/threaded

Scores

EPSS 0.0037

EPSS Percentile 58.2%

Classification

CWE

CWE-79

Status published

Affected Products (25)

vtiger/vtiger_crm < 5.2.0

vtiger/vtiger_crm

vtiger/vtiger_crm

vtiger/vtiger_crm

vtiger/vtiger_crm

vtiger/vtiger_crm

vtiger/vtiger_crm

vtiger/vtiger_crm

vtiger/vtiger_crm

vtiger/vtiger_crm

vtiger/vtiger_crm

vtiger/vtiger_crm

vtiger/vtiger_crm

vtiger/vtiger_crm

vtiger/vtiger_crm

... and 10 more

Timeline

Published Nov 26, 2010

Tracked Since Feb 18, 2026