Cross-Site Scripting Vulnerability in vTiger CRM by vtiger
CVE-2025-1618

5.3MEDIUM

Key Information:

Vendor
Vtiger
Status
Crm
Vendor
CVE Published:
24 February 2025

Summary

A security flaw has been identified in vTiger CRM version 6.4.0 that permits remote attackers to exploit a cross-site scripting (XSS) vulnerability. This vulnerability is related to the manipulation of the argument _operation within the file /modules/Mobile/index.php. When this argument is improperly handled, it could allow attackers to inject malicious scripts into web pages viewed by other users. This flaw poses a significant risk, as it can be exploited without requiring authentication, making it accessible to unauthenticated attackers. The issue has been made public, raising concerns over potential exploitation, especially given the lack of response from the vendor upon early notification of the vulnerability.

Affected Version(s)

CRM 6.4.0

References

https://vuldb.com/?id.296608
vdb-entrytechnical-description
https://vuldb.com/?ctiid.296608
signaturepermissions-required
https://vuldb.com/?submit.501840
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Stux (VulDB User)
.