Egidio

**Name of the Vulnerable Software and Affected Versions** vTiger CRM versions 5.0.0 through 5.4.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands via several parameters, including the `picklist name` parameter in the "get picklists" method to "soap/customerportal.php", the `where` parameter in the "get tickets list" method to "soap/customerportal.php", or the `emailaddress` parameter in the "SearchContactsByEmail" method to "soap/vtigerolservice.php". Additionally, remote authenticated users can execute arbitrary SQL commands via the `emailaddress` parameter in the "SearchContactsByEmail" method to "soap/thunderbirdplugin.php". **Recommendations** For versions 5.0.0 through 5.4.0, consider disabling the `get picklists` and `get tickets list` methods in "soap/customerportal.php" and the `SearchContactsByEmail` method in "soap/vtigerolservice.php" and "soap/thunderbirdplugin.php" until a patch is available. Restrict access to these methods to minimize the risk of exploitation. Avoid using the `picklist name`, `where`, and `emailaddress` parameters in the affected API endpoints until the issue is resolved.