Security Research & Advisories

Reflected Cross-Site Scripting Vulnerability in vtiger CRM

Product vtiger
Affected Version(s) 7.0.1 and probably prior
Tested Version(s) 7.0.1
Vulnerability Discovery March 9, 2018
Vendor Notification March 9, 2018
Advisory Publication March 9, 2018 [without technical details]
Vendor Fix N/A
Public Disclosure N/A
Latest Modification March 9, 2018
CVE Identifier(s) CVE-2018-8047
Product Description Vtiger CRM enables sales, support, and marketing teams to organize and collaborate to measurably improve customer experiences and business outcomes. Vtiger CRM also includes email, inventory, project management, and other tools, providing a complete the business management suite.
Credits Yann Chalençon, Security Researcher & Penetration Tester @wizlynx group

Vulnerability Details

Reflected Cross-Site Scripting (XSS) Vulnerability
Severity: Medium CVSS Score: 6.1 CWE-ID: CWE-79 Status: Not Fixed
Vulnerability Description
The application vtiger CRM is affected by a reflected Cross-Site Scripting (XSS) vulnerabilities affecting version 7.0.1 and prior versions. These vulnerabilities could allow remote authenticated attackers to inject arbitrary web script or HTML.
CVSS Base Score
Attack Vector Network Scope Changed
Attack Complexity Low Confidentiality Impact Low
Privileges Required None Integrity Impact Low
User Interaction Required Availability Impact None


Vtiger has one reflected Cross-Site Scripting (XSS) vulnerability due to the lack of input validation and output encoding. Full details about the vulnerability will be disclosed once the vendor has provided a pat