Details of VAR-200610-0315

ID

VAR-200610-0315

CVE

CVE-2006-5289

TITLE

Vtiger CRM In PHP Remote file inclusion vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2006-003290

DESCRIPTION

Multiple PHP remote file inclusion vulnerabilities in Vtiger CRM 4.2 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the calpath parameter to (1) modules/Calendar/admin/update.php, (2) modules/Calendar/admin/scheme.php, or (3) modules/Calendar/calendar.php. (1) modules/Calendar/admin/update.php To calpath Parameters (2) modules/Calendar/admin/scheme.php To calpath Parameters (3) modules/Calendar/calendar.php To calpath Parameters. vtiger CRM is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. This may allow an attacker to compromise the application and the underlying system; other attacks are also possible. vtiger CRM 4.2 and prior versions are vulnerable; other versions may also be affected

Trust: 1.98

sources: NVD: CVE-2006-5289 // JVNDB: JVNDB-2006-003290 // BID: 20435 // VULHUB: VHN-21397

AFFECTED PRODUCTS

vendor:	vtiger	model:	crm	scope:	eq	version:	4.2	Trust: 1.9
vendor:	vtiger	model:	crm	scope:	lte	version:	4.2	Trust: 0.8
vendor:	vtiger	model:	crm	scope:	eq	version:	4.2.4	Trust: 0.3

sources: BID: 20435 // JVNDB: JVNDB-2006-003290 // NVD: CVE-2006-5289 // CNNVD: CNNVD-200610-203

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2006-5289
value:	HIGH
Trust: 1.8
CNNVD:	CNNVD-200610-203
value:	HIGH
Trust: 0.6
VULHUB:	VHN-21397
value:	HIGH
Trust: 0.1

NVD:
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	FALSE
obtainAllPrivilege:	FALSE
obtainUserPrivilege:	FALSE
obtainOtherPrivilege:	TRUE
userInteractionRequired:	FALSE
version:	2.0
Trust: 1.0
NVD:	CVE-2006-5289
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-21397
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-21397 // JVNDB: JVNDB-2006-003290 // NVD: CVE-2006-5289 // CNNVD: CNNVD-200610-203

PROBLEMTYPE DATA

problemtype:

NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2006-5289

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200610-203

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-200610-203

CONFIGURATIONS

sources: NVD: CVE-2006-5289

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-21397

PATCH

title:

vtiger CRM

url:

https://www.vtiger.com/crm/

Trust: 0.8

sources: JVNDB: JVNDB-2006-003290

EXTERNAL IDS

db:	NVD	id:	CVE-2006-5289	Trust: 2.5
db:	BID	id:	20435	Trust: 2.0
db:	SREASON	id:	1722	Trust: 1.7
db:	EXPLOIT-DB	id:	2508	Trust: 1.7
db:	JVNDB	id:	JVNDB-2006-003290	Trust: 0.8
db:	CNNVD	id:	CNNVD-200610-203	Trust: 0.7
db:	BUGTRAQ	id:	20061009 [ECHO_ADV_54$2006]VTIGER CRM <=4.2 (CALPATH) MULTIPLE REMOTE FILE INCLUSION VULNERABILITY	Trust: 0.6
db:	MILW0RM	id:	2508	Trust: 0.6
db:	XF	id:	29416	Trust: 0.6
db:	SEEBUG	id:	SSVID-64076	Trust: 0.1
db:	VULHUB	id:	VHN-21397	Trust: 0.1

sources: VULHUB: VHN-21397 // BID: 20435 // JVNDB: JVNDB-2006-003290 // NVD: CVE-2006-5289 // CNNVD: CNNVD-200610-203

REFERENCES

url:	http://www.securityfocus.com/bid/20435	Trust: 1.7
url:	http://advisories.echo.or.id/adv/adv54-theday-2006.txt	Trust: 1.7
url:	http://securityreason.com/securityalert/1722	Trust: 1.7
url:	http://www.securityfocus.com/archive/1/448092/100/0/threaded	Trust: 1.1
url:	https://www.exploit-db.com/exploits/2508	Trust: 1.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/29416	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2006-5289	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2006-5289	Trust: 0.8
url:	http://xforce.iss.net/xforce/xfdb/29416	Trust: 0.6
url:	http://www.securityfocus.com/archive/1/archive/1/448092/100/0/threaded	Trust: 0.6
url:	http://www.milw0rm.com/exploits/2508	Trust: 0.6
url:	http://milw0rm.com/exploits/2508	Trust: 0.6
url:	http://www.vtiger.com/	Trust: 0.3

sources: VULHUB: VHN-21397 // BID: 20435 // JVNDB: JVNDB-2006-003290 // NVD: CVE-2006-5289 // CNNVD: CNNVD-200610-203

CREDITS

Dedi Dwianto is credited with the discovery of these vulnerabilities.

Trust: 0.9

sources: BID: 20435 // CNNVD: CNNVD-200610-203

SOURCES

db:	VULHUB	id:	VHN-21397
db:	BID	id:	20435
db:	JVNDB	id:	JVNDB-2006-003290
db:	NVD	id:	CVE-2006-5289
db:	CNNVD	id:	CNNVD-200610-203

LAST UPDATE DATE

2023-12-18T13:54:06.688000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-21397	date:	2018-10-17T00:00:00
db:	BID	id:	20435	date:	2006-10-12T19:49:00
db:	JVNDB	id:	JVNDB-2006-003290	date:	2012-12-20T00:00:00
db:	NVD	id:	CVE-2006-5289	date:	2018-10-17T21:42:01.437
db:	CNNVD	id:	CNNVD-200610-203	date:	2006-10-16T00:00:00

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-21397	date:	2006-10-13T00:00:00
db:	BID	id:	20435	date:	2006-10-10T00:00:00
db:	JVNDB	id:	JVNDB-2006-003290	date:	2012-12-20T00:00:00
db:	NVD	id:	CVE-2006-5289	date:	2006-10-13T20:07:00
db:	CNNVD	id:	CNNVD-200610-203	date:	2006-10-13T00:00:00