The bug is a failure to neutralize user‑supplied input in the tabid parameter of Vtiger CRM’s Dashboard module. When the getTabContents action renders the dashboard, the supplied tabid value is included in the page’s HTML without proper escaping. An attacker can supply a crafted tabid that injects arbitrary HTML or JavaScript, which is executed in the victim’s browser with the privileges of whoever is viewing the page. This allows cookie theft, session hijacking, phishing or defacement for any user who has access to the dashboard interface.

Vtiger CRM open‑source edition version 8.4.0 is the only version documented to contain the flaw. The vulnerability is confined to the DashBoardTab view during the getTabContents action and does not affect other versions or modules for which no evidence exists.

The CVSS base score of 6.1 indicates a medium‑severity issue. The EPSS score is reported as <1%, suggesting that exploitation is not widely observed in the current environment, and the flaw is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the attack vector is a user‑supplied query parameter that can be included in a link or a form field, allowing an attacker to exploit it if they can convince an authenticated user to visit the malicious URL. The impact remains confined to the affected user’s session, but the potential damage is substantial from the perspective of that user’s confidentiality and session integrity.