CVE-2013-5091

vTiger CRM <5.4.0 - SQL Injection

Title source: llm

Description

SQL injection vulnerability in CalendarCommon.php in vTiger CRM 5.4.0 and possibly earlier allows remote authenticated users to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php. NOTE: this issue might be a duplicate of CVE-2011-4559.

Exploits (1)

exploitdb WRITEUP

by High-Tech Bridge SA · textwebappsphp

https://www.exploit-db.com/exploits/28409

View Code ZIP pw:eip

References (5)

Core 5

Core References

Third Party Advisory mailing-list x_refsource_bugtraq

http://archives.neohapsis.com/archives/bugtraq/2013-09/0079.html

Patch, Third Party Advisory x_refsource_confirm

http://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%205.4.0/Core%20Product/

Third Party Advisory x_refsource_misc

https://www.htbridge.com/advisory/HTB23168

Broken Link vdb-entry x_refsource_osvdb

http://osvdb.org/76138

Exploit, Third Party Advisory exploit x_refsource_exploit-db

http://www.exploit-db.com/exploits/28409

Scores

EPSS 0.0035

EPSS Percentile 57.7%

Details

CWE

CWE-89

Status published

Products (20)

vtiger/vtiger_crm 1.0

vtiger/vtiger_crm 2.0

vtiger/vtiger_crm 2.0.1

vtiger/vtiger_crm 2.1

vtiger/vtiger_crm 3.0 (2 CPE variants)

vtiger/vtiger_crm 3.2

vtiger/vtiger_crm 4 (4 CPE variants)

vtiger/vtiger_crm 4.0

vtiger/vtiger_crm 4.0.1

vtiger/vtiger_crm 4.2 (3 CPE variants)

... and 10 more

Published Oct 04, 2013

Tracked Since Feb 18, 2026