SQL injection vulnerability in Vtiger CRM v.7.5.0 allows a remote authenticated attacker to escalate privileges via the getQueryColumnsList function in ReportRun.php.

F-RevoCRM 7.3 series prior to version7.3.8 contains a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is using the product.

F-RevoCRM version7.3.7 and version7.3.8 contains an OS command injection vulnerability. If this vulnerability is exploited, an attacker who can access the product may execute an arbitrary OS command on the server where the product is running.

Cross Site Scripting (XSS) vulnerability in ChurchCRM version 4.2.1, allows remote attckers to execute arbitrary code and gain sensitive information via crafted payload in Add New Deposit field in View All Deposit module.

CSV Injection vulnerability in ChurchCRM version 4.2.0, allows remote attackers to execute arbitrary code via crafted CSV file.

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Catalyst Connect Catalyst Connect Zoho CRM Client Portal plugin <= 2.0.0 versions.

SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the volopp1 and volopp2 parameters within the /QueryView.php.

SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the volopp parameter within the /QueryView.php.

SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the group parameter within the /QueryView.php.

SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the searchstring and searchwhat parameters within the /QueryView.php.