Details of VAR-201408-0376

ID

VAR-201408-0376

CVE

CVE-2014-1222

TITLE

Vtiger CRM of kcfinder/browse.php Vulnerable to directory traversal

Trust: 0.8

sources: JVNDB: JVNDB-2014-003799

DESCRIPTION

Directory traversal vulnerability in kcfinder/browse.php in Vtiger CRM before 6.0.0 Security patch 1 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter in a download action. NOTE: it is likely that this issue is actually in the KCFinder third-party component, and it affects additional products besides Vtiger CRM. Vtiger CRM of kcfinder/browse.php Contains a directory traversal vulnerability. An attacker can exploit this issue using directory-traversal strings to view files and execute local script code in the context of the web server process. This may allow the attacker to compromise the application; other attacks are also possible. vtiger CRM 5.4.0, 6.0 RC and 6.0.0 GA are vulnerable; other versions may also be affected. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information

Trust: 1.98

sources: NVD: CVE-2014-1222 // JVNDB: JVNDB-2014-003799 // BID: 66136 // VULHUB: VHN-69160

AFFECTED PRODUCTS

vendor:	vtiger	model:	crm	scope:	lte	version:	6.0.0	Trust: 1.0
vendor:	vtiger	model:	crm	scope:	lt	version:	6.0.0 security patch 1	Trust: 0.8
vendor:	vtiger	model:	crm	scope:	eq	version:	6.0.0	Trust: 0.6

sources: JVNDB: JVNDB-2014-003799 // CNNVD: CNNVD-201406-506 // NVD: CVE-2014-1222

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-1222
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2014-1222
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201406-506
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-69160
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2014-1222
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-69160
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-69160 // JVNDB: JVNDB-2014-003799 // CNNVD: CNNVD-201406-506 // NVD: CVE-2014-1222

PROBLEMTYPE DATA

problemtype:

CWE-22

Trust: 1.9

sources: VULHUB: VHN-69160 // JVNDB: JVNDB-2014-003799 // NVD: CVE-2014-1222

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201406-506

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-201406-506

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-003799

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-69160

PATCH

title:	vtigercrm-600-security-patch1.zip	url:	http://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%206.0.0/Add-ons/vtigercrm-600-security-patch1.zip/download	Trust: 0.8
title:	Top Page	url:	https://www.vtiger.com/	Trust: 0.8

sources: JVNDB: JVNDB-2014-003799

EXTERNAL IDS

db:	NVD	id:	CVE-2014-1222	Trust: 2.8
db:	BID	id:	66136	Trust: 1.0
db:	JVNDB	id:	JVNDB-2014-003799	Trust: 0.8
db:	CNNVD	id:	CNNVD-201406-506	Trust: 0.7
db:	SECUNIA	id:	57149	Trust: 0.6
db:	EXPLOIT-DB	id:	36581	Trust: 0.1
db:	EXPLOIT-DB	id:	32213	Trust: 0.1
db:	EXPLOIT-DB	id:	27597	Trust: 0.1
db:	PACKETSTORM	id:	125685	Trust: 0.1
db:	SEEBUG	id:	SSVID-85512	Trust: 0.1
db:	SEEBUG	id:	SSVID-81201	Trust: 0.1
db:	VULHUB	id:	VHN-69160	Trust: 0.1

sources: VULHUB: VHN-69160 // BID: 66136 // JVNDB: JVNDB-2014-003799 // CNNVD: CNNVD-201406-506 // NVD: CVE-2014-1222

REFERENCES

url:	https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-1222/	Trust: 2.5
url:	http://sourceforge.net/projects/vtigercrm/files/vtiger%20crm%206.0.0/add-ons/vtigercrm-600-security-patch1.zip/download	Trust: 1.7
url:	http://www.securityfocus.com/archive/1/531423/100/0/threaded	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-1222	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-1222	Trust: 0.8
url:	http://www.securityfocus.com/archive/1/archive/1/531423/100/0/threaded	Trust: 0.6
url:	http://secunia.com/advisories/57149	Trust: 0.6
url:	http://www.securityfocus.com/bid/66136	Trust: 0.6
url:	http://www.vtiger.com/	Trust: 0.3

sources: VULHUB: VHN-69160 // BID: 66136 // JVNDB: JVNDB-2014-003799 // CNNVD: CNNVD-201406-506 // NVD: CVE-2014-1222

CREDITS

Jerzy Kramarz

Trust: 0.9

sources: BID: 66136 // CNNVD: CNNVD-201406-506

SOURCES

db:	VULHUB	id:	VHN-69160
db:	BID	id:	66136
db:	JVNDB	id:	JVNDB-2014-003799
db:	CNNVD	id:	CNNVD-201406-506
db:	NVD	id:	CVE-2014-1222

LAST UPDATE DATE

2025-04-12T22:59:37.590000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-69160	date:	2018-10-09T00:00:00
db:	BID	id:	66136	date:	2014-03-12T00:00:00
db:	JVNDB	id:	JVNDB-2014-003799	date:	2015-01-07T00:00:00
db:	CNNVD	id:	CNNVD-201406-506	date:	2014-08-13T00:00:00
db:	NVD	id:	CVE-2014-1222	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-69160	date:	2014-08-12T00:00:00
db:	BID	id:	66136	date:	2014-03-12T00:00:00
db:	JVNDB	id:	JVNDB-2014-003799	date:	2014-08-15T00:00:00
db:	CNNVD	id:	CNNVD-201406-506	date:	2014-03-12T00:00:00
db:	NVD	id:	CVE-2014-1222	date:	2014-08-12T23:55:03.360