| Vendor |
|
| Product | vtiger |
| Affected Version(s) | 7.0.1 and probably prior |
| Tested Version(s) | 7.0.1 |
| Vulnerability Discovery | March 9, 2018 |
| Vendor Notification | March 9, 2018 |
| Advisory Publication | March 9, 2018 [without technical details] |
| Vendor Fix | N/A |
| Public Disclosure | N/A |
| Latest Modification | March 9, 2018 |
| CVE Identifier(s) | CVE-2018-8047 |
| Product Description | Vtiger CRM enables sales, support, and marketing teams to organize and collaborate to measurably improve customer experiences and business outcomes. Vtiger CRM also includes email, inventory, project management, and other tools, providing a complete the business management suite. |
| Credits | Yann Chalençon, Security Researcher & Penetration Tester @wizlynx group |
| Reflected Cross-Site Scripting (XSS) Vulnerability | |||
| Severity: Medium | CVSS Score: 6.1 | CWE-ID: CWE-79 | Status: Not Fixed |
| Vulnerability Description | |||
| The application vtiger CRM is affected by a reflected Cross-Site Scripting (XSS) vulnerabilities affecting version 7.0.1 and prior versions. These vulnerabilities could allow remote authenticated attackers to inject arbitrary web script or HTML. | |||
| CVSS Base Score | |||
| Attack Vector | Network | Scope | Changed |
| Attack Complexity | Low | Confidentiality Impact | Low |
| Privileges Required | None | Integrity Impact | Low |
| User Interaction | Required | Availability Impact | None |
Vtiger has one reflected Cross-Site Scripting (XSS) vulnerability due to the lack of input validation and output encoding. Full details about the vulnerability will be disclosed once the vendor has provided a pat