Vtiger CRM v7.2.0 allows an attacker to display hidden files, list directories by using /libraries and /layout directories.

vTiger CRM 5.3 and 5.4: 'files' Upload Folder Arbitrary PHP Code Execution Vulnerability

Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.3.0 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in test/logo/.

vtiger CRM 5.4.0 and earlier contain an Authentication Bypass Vulnerability due to improper authentication validation in the validateSession function.

vtiger CRM 5.4.0 and earlier contain local file-include vulnerabilities in 'customerportal.php' which allows remote attackers to view files and execute local script code.

vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in 'vtigerolservice.php'.

In Vtiger 7.x before 7.2.0, the My Preferences saving functionality allows a user without administrative privileges to change his own role by adding roleid=H2 to a POST request.

vtiger CRM 7.0.1 is affected by one reflected Cross-Site Scripting (XSS) vulnerability affecting version 7.0.1 and probably prior versions. This vulnerability could allow remote unauthenticated attackers to inject arbitrary web script or HTML via index.php?module=Contacts&view=List (app parameter).

modules/Calendar/Activity.php in Vtiger CRM 6.5.0 allows SQL injection via the contactidlist parameter.

SQL injection vulnerability in Vtiger CRM before 7.1.0 hotfix3 allows authenticated users to execute arbitrary SQL commands.