CVE-2010-3911

Name of the Vulnerable Software and Affected Versions vtiger CRM versions prior to 5.2.1

Description The issue allows remote attackers to inject arbitrary web script or HTML, related to multiple cross-site scripting (XSS) vulnerabilities. This can be achieved via the username field or the password field in a Users Login action to "index.php", or the label parameter in a Settings GetFieldInfo action to "index.php", which is related to the file modules/Settings/GetFieldInfo.php.

Recommendations For versions prior to 5.2.1, update to version 5.2.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the "index.php" file for unauthenticated users until a patch is available. Avoid using the username and password fields in the Users Login action to "index.php", and the label parameter in the Settings GetFieldInfo action to "index.php" until the issue is resolved.