ID
VAR-201111-0315
TITLE
vtiger CRM 'graph.php' Local file contains vulnerabilities
Trust: 0.8
DESCRIPTION
Vtiger CRM is a Web-based Sales Capability Automation (SFA)-based Customer Relationship Management System (CRM). There is a local file containing vulnerability in vtiger CRM. Since the input to graph.php via the \"module\" and \"action\" GET parameters is missing validation before being used to include the file, the attacker can include the previously uploaded file via the directory traversal sequence and the URL-encoded null bytes: http: //[host]/graph.php?module=../storage/2011/October/week3/UploadedFile.txt%00http://[host]/graph.php?module=1&action=../../storage /2011/October/week3/UploadedFile.txt%00
Trust: 0.72
IOT TAXONOMY
| category: | ['ICS'] | sub_category: | - | Trust: 0.8 |
AFFECTED PRODUCTS
| vendor: | vtiger | model: | crm | scope: | eq | version: | 5.x | Trust: 0.8 |
CVSS
SEVERITY | CVSSV2 | CVSSV3 | ||||||||||||||||||||||||||||||||||||||||||
|
|
TYPE
Configuration issues
Trust: 0.2
PATCH
| title: | Vtiger CRM 'graph.php' local file contains vulnerable patches | url: | https://www.cnvd.org.cn/patchinfo/show/5841 | Trust: 0.6 |
EXTERNAL IDS
| db: | CNVD | id: | CNVD-2011-4818 | Trust: 0.8 |
| db: | IVD | id: | E077DCE4-1F7F-11E6-ABEF-000C29C66E3D | Trust: 0.2 |
REFERENCES
| url: | https://www.htbridge.ch/advisory/local_file_inclusion_in_vtigercrm.html | Trust: 0.6 |
SOURCES
| db: | IVD | id: | e077dce4-1f7f-11e6-abef-000c29c66e3d |
| db: | CNVD | id: | CNVD-2011-4818 |
LAST UPDATE DATE
2022-05-17T02:00:10.653000+00:00
SOURCES UPDATE DATE
| db: | CNVD | id: | CNVD-2011-4818 | date: | 2011-11-11T00:00:00 |
SOURCES RELEASE DATE
| db: | IVD | id: | e077dce4-1f7f-11e6-abef-000c29c66e3d | date: | 2011-11-11T00:00:00 |
| db: | CNVD | id: | CNVD-2011-4818 | date: | 2011-11-11T00:00:00 |