Multiple Cross Site Scripting (XSS) Vulnerabilities in vtigerCRM 5.0.4, CVE-2008-3101



vtigerCRM is a Open Source Customer Relationship Management (CRM) Software.
The application is vulnerable to simple Cross Site Scripting, which can be used for several isues


Assuming vtigerCRM is installed on http://localhost/vtigercrm/, one can inject JavaScript with:


vtiger CRM Security Patch for 5.0.4

Disclosure Timeline

2008-07-28 Vendor contacted
2008-07-28 Vendor fixed issue in test environment
2008-07-30 Vender released patch
2008-07-30 Vendor dev statet they'll release a second patch within days
2008-09-01 published advisory, no second patch from upstream yet

CVE Information

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-3101 to this issue. This is a candidate for inclusion in the CVE list (, which standardizes names for security problems.

Credits and copyright

This vulnerability was discovered by Fabian Fingerle (published with help from seracom GmbH and Hanno Boeck).
It's licensed under the creative commons attribution license.

Fabian Fingerle, 2008-09-01,