Details of VAR-201411-0075

ID

VAR-201411-0075

CVE

CVE-2014-2268

TITLE

vTiger Of installation modules views/Index.php Vulnerable to application reinstallation

Trust: 0.8

sources: JVNDB: JVNDB-2014-005475

DESCRIPTION

views/Index.php in the Install module in vTiger 6.0 before Security Patch 2 does not properly restrict access, which allows remote attackers to re-install the application via a request that sets the X-Requested-With HTTP header, as demonstrated by executing arbitrary PHP code via the db_name parameter. vtiger CRM is prone to a remote code-execution vulnerability because the application fails to sufficiently sanitize user-supplied input. Exploiting this issue will allow attackers to execute arbitrary code within the context of the affected application. vtiger CRM 6.0 is vulnerable; other versions may also be affected. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company, which provides functions such as management, collection and analysis of customer information. Install Module is one of the installation modules

Trust: 2.07

sources: NVD: CVE-2014-2268 // JVNDB: JVNDB-2014-005475 // BID: 66758 // VULHUB: VHN-70207 // VULMON: CVE-2014-2268

AFFECTED PRODUCTS

vendor:	vtiger	model:	crm	scope:	eq	version:	5.2.1	Trust: 1.6
vendor:	vtiger	model:	crm	scope:	eq	version:	6.0.0	Trust: 1.6
vendor:	vtiger	model:	crm	scope:	eq	version:	5.1.0	Trust: 1.6
vendor:	vtiger	model:	crm	scope:	eq	version:	5.3.0	Trust: 1.6
vendor:	vtiger	model:	crm	scope:	eq	version:	5.4.0	Trust: 1.6
vendor:	vtiger	model:	crm	scope:	eq	version:	5.2.0	Trust: 1.6
vendor:	vtiger	model:	crm	scope:	eq	version:	3.2	Trust: 1.0
vendor:	vtiger	model:	crm	scope:	eq	version:	4.0	Trust: 1.0
vendor:	vtiger	model:	crm	scope:	eq	version:	5.0.3	Trust: 1.0
vendor:	vtiger	model:	crm	scope:	eq	version:	4.2.4	Trust: 1.0
vendor:	vtiger	model:	crm	scope:	eq	version:	1.0	Trust: 1.0
vendor:	vtiger	model:	crm	scope:	eq	version:	3.0	Trust: 1.0
vendor:	vtiger	model:	crm	scope:	eq	version:	5.0.1	Trust: 1.0
vendor:	vtiger	model:	crm	scope:	eq	version:	2.0.1	Trust: 1.0
vendor:	vtiger	model:	crm	scope:	eq	version:	5.0.4	Trust: 1.0
vendor:	vtiger	model:	crm	scope:	eq	version:	4.0.1	Trust: 1.0
vendor:	vtiger	model:	crm	scope:	eq	version:	5.0.0	Trust: 1.0
vendor:	vtiger	model:	crm	scope:	eq	version:	4.2	Trust: 1.0
vendor:	vtiger	model:	crm	scope:	eq	version:	4	Trust: 1.0
vendor:	vtiger	model:	crm	scope:	eq	version:	5.0.2	Trust: 1.0
vendor:	vtiger	model:	crm	scope:	eq	version:	2.1	Trust: 1.0
vendor:	vtiger	model:	crm	scope:	eq	version:	2.0	Trust: 1.0
vendor:	vtiger	model:	crm	scope:	eq	version:	6.0 security patch 2	Trust: 0.8
vendor:	vtiger	model:	crm	scope:	lt	version:	6.0	Trust: 0.8
vendor:	vtiger	model:	crm	scope:	eq	version:	6.0	Trust: 0.3

sources: BID: 66758 // JVNDB: JVNDB-2014-005475 // CNNVD: CNNVD-201406-544 // NVD: CVE-2014-2268

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-2268
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2014-2268
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201406-544
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-70207
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2014-2268
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2014-2268
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-70207
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-70207 // VULMON: CVE-2014-2268 // JVNDB: JVNDB-2014-005475 // CNNVD: CNNVD-201406-544 // NVD: CVE-2014-2268

PROBLEMTYPE DATA

problemtype:

CWE-264

Trust: 1.9

sources: VULHUB: VHN-70207 // JVNDB: JVNDB-2014-005475 // NVD: CVE-2014-2268

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201406-544

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201406-544

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-005475

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-70207 // VULMON: CVE-2014-2268

PATCH

title:	IMP: forgot password and re-installation security fix	url:	http://vtiger-crm.2324883.n4.nabble.com/Vtigercrm-developers-IMP-forgot-password-and-re-installation-security-fix-tt9786.html	Trust: 0.8
title:	vtigercrm-600-security-patch3	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=52472	Trust: 0.6

sources: JVNDB: JVNDB-2014-005475 // CNNVD: CNNVD-201406-544

EXTERNAL IDS

db:	NVD	id:	CVE-2014-2268	Trust: 2.9
db:	BID	id:	66757	Trust: 1.8
db:	EXPLOIT-DB	id:	32794	Trust: 1.8
db:	JVNDB	id:	JVNDB-2014-005475	Trust: 0.8
db:	CNNVD	id:	CNNVD-201406-544	Trust: 0.7
db:	BID	id:	66758	Trust: 0.5
db:	PACKETSTORM	id:	126067	Trust: 0.1
db:	SEEBUG	id:	SSVID-86064	Trust: 0.1
db:	VULHUB	id:	VHN-70207	Trust: 0.1
db:	VULMON	id:	CVE-2014-2268	Trust: 0.1

sources: VULHUB: VHN-70207 // VULMON: CVE-2014-2268 // BID: 66758 // JVNDB: JVNDB-2014-005475 // CNNVD: CNNVD-201406-544 // NVD: CVE-2014-2268

REFERENCES

url:	https://www.navixia.com/blog/entry/navixia-find-critical-vulnerabilities-in-vtiger-crm-cve-2014-2268-cve-2014-2269.html	Trust: 2.1
url:	http://vtiger-crm.2324883.n4.nabble.com/vtigercrm-developers-imp-forgot-password-and-re-installation-security-fix-tt9786.html	Trust: 2.1
url:	http://www.securityfocus.com/bid/66757	Trust: 1.8
url:	http://www.exploit-db.com/exploits/32794	Trust: 1.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2268	Trust: 0.8
url:	https://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-2268	Trust: 0.8
url:	http://www.vtiger.com/	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/264.html	Trust: 0.1
url:	https://www.exploit-db.com/exploits/32794/	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://www.rapid7.com/db/modules/exploit/multi/http/vtiger_install_rce	Trust: 0.1
url:	https://www.securityfocus.com/bid/66758	Trust: 0.1

sources: VULHUB: VHN-70207 // VULMON: CVE-2014-2268 // BID: 66758 // JVNDB: JVNDB-2014-005475 // CNNVD: CNNVD-201406-544 // NVD: CVE-2014-2268

CREDITS

Jonathan of Navixia Research Team

Trust: 0.9

sources: BID: 66758 // CNNVD: CNNVD-201406-544

SOURCES

db:	VULHUB	id:	VHN-70207
db:	VULMON	id:	CVE-2014-2268
db:	BID	id:	66758
db:	JVNDB	id:	JVNDB-2014-005475
db:	CNNVD	id:	CNNVD-201406-544
db:	NVD	id:	CVE-2014-2268

LAST UPDATE DATE

2025-04-13T23:32:50.292000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-70207	date:	2017-11-20T00:00:00
db:	VULMON	id:	CVE-2014-2268	date:	2017-11-20T00:00:00
db:	BID	id:	66758	date:	2014-04-10T00:00:00
db:	JVNDB	id:	JVNDB-2014-005475	date:	2014-11-18T00:00:00
db:	CNNVD	id:	CNNVD-201406-544	date:	2014-11-17T00:00:00
db:	NVD	id:	CVE-2014-2268	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-70207	date:	2014-11-16T00:00:00
db:	VULMON	id:	CVE-2014-2268	date:	2014-11-16T00:00:00
db:	BID	id:	66758	date:	2014-04-10T00:00:00
db:	JVNDB	id:	JVNDB-2014-005475	date:	2014-11-18T00:00:00
db:	CNNVD	id:	CNNVD-201406-544	date:	2014-04-10T00:00:00
db:	NVD	id:	CVE-2014-2268	date:	2014-11-16T01:59:00.130