Sign-up

ID

VAR-201905-0625


CVE

CVE-2016-10754


TITLE

Vtiger CRM In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2016-009340

DESCRIPTION

modules/Calendar/Activity.php in Vtiger CRM 6.5.0 allows SQL injection via the contactidlist parameter. Vtiger CRM Is SQL An injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information. The vulnerability stems from the lack of verification of externally input SQL statements in database-based applications. Attackers can exploit this vulnerability to execute illegal SQL commands

Trust: 1.71

sources: NVD: CVE-2016-10754 // JVNDB: JVNDB-2016-009340 // VULHUB: VHN-89562

AFFECTED PRODUCTS

vendor:vtigermodel:crmscope:eqversion:6.5.0

Trust: 1.8

sources: JVNDB: JVNDB-2016-009340 // NVD: CVE-2016-10754

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-10754
value: HIGH

Trust: 1.0

NVD: CVE-2016-10754
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201905-1005
value: HIGH

Trust: 0.6

VULHUB: VHN-89562
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2016-10754
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-89562
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-10754
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-89562 // JVNDB: JVNDB-2016-009340 // CNNVD: CNNVD-201905-1005 // NVD: CVE-2016-10754

PROBLEMTYPE DATA

problemtype:CWE-89

Trust: 1.9

sources: VULHUB: VHN-89562 // JVNDB: JVNDB-2016-009340 // NVD: CVE-2016-10754

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201905-1005

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-201905-1005

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-009340

PATCH
title:Top Pageurl:https://www.vtiger.com/
Trust: 0.8
title:Vtiger CRM SQL Repair measures for injecting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=92961
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2016-009340 // 
            
            
            
            CNNVD: CNNVD-201905-1005

EXTERNAL IDS
db:NVDid:CVE-2016-10754
Trust: 2.5
db:JVNDBid:JVNDB-2016-009340
Trust: 0.8
db:CNNVDid:CNNVD-201905-1005
Trust: 0.7
db:VULHUBid:VHN-89562
Trust: 0.1
sources:
            
            
            VULHUB: VHN-89562 // 
            
            
            
            JVNDB: JVNDB-2016-009340 // 
            
            
            
            CNNVD: CNNVD-201905-1005 // 
            
            
            
            NVD: CVE-2016-10754

REFERENCES
url:https://blog.ripstech.com/2016/vtiger-sql-injection/
Trust: 2.5
url:https://demo.ripstech.com/projects/vtiger_6.5.0
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2016-10754
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-10754
Trust: 0.8
sources:
            
            
            VULHUB: VHN-89562 // 
            
            
            
            JVNDB: JVNDB-2016-009340 // 
            
            
            
            CNNVD: CNNVD-201905-1005 // 
            
            
            
            NVD: CVE-2016-10754

SOURCES
db:VULHUBid:VHN-89562
db:JVNDBid:JVNDB-2016-009340
db:CNNVDid:CNNVD-201905-1005
db:NVDid:CVE-2016-10754

LAST UPDATE DATE
2024-11-23T21:52:17.181000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-89562date:2019-05-29T00:00:00
db:JVNDBid:JVNDB-2016-009340date:2019-06-10T00:00:00
db:CNNVDid:CNNVD-201905-1005date:2019-05-30T00:00:00
db:NVDid:CVE-2016-10754date:2024-11-21T02:44:40.170

SOURCES RELEASE DATE
db:VULHUBid:VHN-89562date:2019-05-24T00:00:00
db:JVNDBid:JVNDB-2016-009340date:2019-06-10T00:00:00
db:CNNVDid:CNNVD-201905-1005date:2019-05-24T00:00:00
db:NVDid:CVE-2016-10754date:2019-05-24T18:29:00.410