Details of VAR-201203-0408

ID

VAR-201203-0408

TITLE

Vtiger CRM 'module_name' parameter local file contains vulnerability

Trust: 0.6

sources: CNVD: CNVD-2012-1498

DESCRIPTION

Vtiger CRM is a Web-based Sales Capability Automation (SFA)-based Customer Relationship Management System (CRM). Vtiger CRM has a vulnerability. Since vtiger CRM fails to properly filter the input submitted to the 'module_name' parameter, an attacker can traverse the sequence through the directory and view the contents of the system file with WEB permissions. vtiger CRM is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input. An attacker can exploit this vulnerability to view files and execute local scripts in the context of the webserver process. This may aid in further attacks. vtiger CRM 5.1.0 is vulnerable; other versions may also be affected. This BID is being retired as a duplicate of BID 47263 (vtiger CRM 'sortfieldsjson.php' Local File Include Vulnerability)

Trust: 0.99

sources: CNVD: CNVD-2012-1498 // BID: 52671 // IVD: 981f1db0-1f6e-11e6-abef-000c29c66e3d

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 981f1db0-1f6e-11e6-abef-000c29c66e3d // CNVD: CNVD-2012-1498

AFFECTED PRODUCTS

vendor:	vtiger	model:	crm	scope:	eq	version:	5.1	Trust: 1.1
vendor:	vtiger	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 981f1db0-1f6e-11e6-abef-000c29c66e3d // CNVD: CNVD-2012-1498 // BID: 52671

CVSS

SEVERITY

CVSSV2

CVSSV3

IVD:	981f1db0-1f6e-11e6-abef-000c29c66e3d
value:	MEDIUM
Trust: 0.2

IVD:	981f1db0-1f6e-11e6-abef-000c29c66e3d
severity:	NONE
baseScore:	NONE
vectorString:	NONE
accessVector:	NONE
accessComplexity:	NONE
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	UNKNOWN
Trust: 0.2

sources: IVD: 981f1db0-1f6e-11e6-abef-000c29c66e3d

THREAT TYPE

network

Trust: 0.3

sources: BID: 52671

TYPE

Input Validation Error

Trust: 0.3

sources: BID: 52671

EXTERNAL IDS

db:	BID	id:	52671	Trust: 0.9
db:	CNVD	id:	CNVD-2012-1498	Trust: 0.8
db:	IVD	id:	981F1DB0-1F6E-11E6-ABEF-000C29C66E3D	Trust: 0.2

sources: IVD: 981f1db0-1f6e-11e6-abef-000c29c66e3d // CNVD: CNVD-2012-1498 // BID: 52671

REFERENCES

url:	http://www.securityfocus.com/bid/52671	Trust: 0.6
url:	http://sourceforge.net/projects/vtigercrm/files/vtiger%20crm%205.1.0/	Trust: 0.3

sources: CNVD: CNVD-2012-1498 // BID: 52671

CREDITS

Pi3rrot

Trust: 0.3

sources: BID: 52671

SOURCES

db:	IVD	id:	981f1db0-1f6e-11e6-abef-000c29c66e3d
db:	CNVD	id:	CNVD-2012-1498
db:	BID	id:	52671

LAST UPDATE DATE

2022-05-17T02:02:38.565000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2012-1498	date:	2012-03-26T00:00:00
db:	BID	id:	52671	date:	2012-04-26T15:30:00

SOURCES RELEASE DATE

db:	IVD	id:	981f1db0-1f6e-11e6-abef-000c29c66e3d	date:	2012-03-26T00:00:00
db:	CNVD	id:	CNVD-2012-1498	date:	2012-03-26T00:00:00
db:	BID	id:	52671	date:	2012-03-21T00:00:00