vtiger.com suffers from a persistent cross site scripting vulnerability.
Type of vulnerability:
Paydirt is currently integrated with Chrome and Firefox
Proof of concept :
1 Goto site.vtiger.com/index.php?module=Contacts&view=List
2 add new contact fill fields with xss payload "><img src=x onerror=confirm(1);>
3 Then click on the added contact from the list and click see full details