Description
SQL injection vulnerability in the Calendar module in vTiger CRM 5.2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php.
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by Aung Khant · textwebappsphp
https://www.exploit-db.com/exploits/36208
References (6)
Core 6
Core References
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/520006/100/0/threaded
Exploit mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2011/Oct/224
Exploit vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/49948
Exploit x_refsource_misc
http://yehg.net/lab/pr0js/advisories/%5BvTiger_5.2.1%5D_blind_sqlin
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/76138
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/70344
Scores
EPSS
0.0103
EPSS Percentile
77.4%
Details
CWE
CWE-89
Status
published
Products (16)
vtiger/vtiger_crm
1.0
vtiger/vtiger_crm
2.0
vtiger/vtiger_crm
2.0.1
vtiger/vtiger_crm
2.1
vtiger/vtiger_crm
3.0 (2 CPE variants)
vtiger/vtiger_crm
3.2
vtiger/vtiger_crm
4.0
vtiger/vtiger_crm
4.0.1
vtiger/vtiger_crm
4.2 (2 CPE variants)
vtiger/vtiger_crm
4.2.4
... and 6 more
Published
Nov 28, 2011
Tracked Since
Feb 18, 2026