ID
VAR-201111-0314
TITLE
Vtiger CRM 'index.php' local file contains vulnerability
Trust: 0.6
DESCRIPTION
Vtiger CRM is a Web-based Sales Capability Automation (SFA)-based Customer Relationship Management System (CRM). There is a local file containing vulnerability in vtiger CRM. Since the input provided to index.php via the \"file\" GET parameter is missing validation before being used to include the file, the attacker can include the previously uploaded file via the directory traversal sequence and the URL-encoded null bytes: http://[host ]/index.php?module=Accounts&action=AccountsAjax&ajax=true&file=AddressChange&file=../../storage/2011/October/week3/UploadedFile.txt%00
Trust: 0.72
IOT TAXONOMY
| category: | ['ICS'] | sub_category: | - | Trust: 0.8 |
AFFECTED PRODUCTS
| vendor: | vtiger | model: | crm | scope: | eq | version: | 5.x | Trust: 0.8 |
CVSS
SEVERITY | CVSSV2 | CVSSV3 | ||||||||||||||||||||||||||||||||||||||||||
|
|
TYPE
Configuration issues
Trust: 0.2
PATCH
| title: | Vtiger CRM 'index.php' local file contains vulnerable patches | url: | https://www.cnvd.org.cn/patchinfo/show/5842 | Trust: 0.6 |
EXTERNAL IDS
| db: | CNVD | id: | CNVD-2011-4817 | Trust: 0.8 |
| db: | IVD | id: | E2308450-1F7F-11E6-ABEF-000C29C66E3D | Trust: 0.2 |
REFERENCES
| url: | https://www.htbridge.ch/advisory/local_file_inclusion_in_vtigercrm.html | Trust: 0.6 |
SOURCES
| db: | IVD | id: | e2308450-1f7f-11e6-abef-000c29c66e3d |
| db: | CNVD | id: | CNVD-2011-4817 |
LAST UPDATE DATE
2022-05-17T01:53:22.090000+00:00
SOURCES UPDATE DATE
| db: | CNVD | id: | CNVD-2011-4817 | date: | 2011-11-11T00:00:00 |
SOURCES RELEASE DATE
| db: | IVD | id: | e2308450-1f7f-11e6-abef-000c29c66e3d | date: | 2011-11-11T00:00:00 |
| db: | CNVD | id: | CNVD-2011-4817 | date: | 2011-11-11T00:00:00 |