COOEY // HUBcompliance · community · intelligence

FAIL › dossier

vtiger vendor

· dossier confidence 50%

vTiger CRM is an open-source CRM platform with a critical security posture due to multiple remote code execution vulnerabilities discovered in recent versions, including reflected XSS in version 7.4.0 and authenticated RCE via file upload in version 8.4.0.

3
failure events
0
zero-days
3
RCEs
0
on KEV
3
critical
50
worst shame

Profile

Category
Software Vendor
What they do
vTiger CRM is an open-source CRM platform that provides customer relationship management solutions for businesses.
Website
https://www.vtiger.com

Security posture

vTiger CRM has a critical security posture with multiple remote code execution vulnerabilities discovered in recent versions, including reflected XSS in version 7.4.0 and authenticated RCE via file upload in version 8.4.0.

Notable failures
  • CVE-2024-44777: Reflected XSS RCE in tag parameter
  • CVE-2024-44778: Reflected XSS RCE in parent parameter
  • CVE-2024-44779: Reflected XSS RCE in viewname parameter
  • CVE-2026-23697: Unrestricted file upload RCE
  • CVE-2026-23698: Authenticated RCE via module import file upload
Patterns
Repeated reflected XSS RCEs in index page parameters; Authenticated RCE via file upload mechanisms; Lack of input validation in admin module import features

Failure history 3 events

DateEventSevFlagsShameSummary
2024-08-29 CVE-2024-44777 critical ⚡RCE 50 A reflected cross-site scripting (XSS) vulnerability in the tag parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.
2024-08-29 CVE-2024-44778 critical ⚡RCE 50 A reflected cross-site scripting (XSS) vulnerability in the parent parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.
2024-08-29 CVE-2024-44779 critical ⚡RCE 50 A reflected cross-site scripting (XSS) vulnerability in the viewname parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.

Dossier sources

Open questions: Exact founding date and headquarters location · Current version distribution and patching velocity