Sign-up

ID

VAR-201905-1078


CVE

CVE-2019-11057


TITLE

Vtiger CRM In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-004622

DESCRIPTION

SQL injection vulnerability in Vtiger CRM before 7.1.0 hotfix3 allows authenticated users to execute arbitrary SQL commands. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information. The vulnerability stems from the lack of verification of externally input SQL statements in database-based applications

Trust: 1.71

sources: NVD: CVE-2019-11057 // JVNDB: JVNDB-2019-004622 // VULHUB: VHN-142665

AFFECTED PRODUCTS

vendor:vtigermodel:crmscope:eqversion:7.1.0

Trust: 1.0

vendor:vtigermodel:crmscope:lteversion:7.0.1

Trust: 1.0

vendor:vtigermodel:crmscope:ltversion:7.1.0

Trust: 0.8

sources: JVNDB: JVNDB-2019-004622 // NVD: CVE-2019-11057

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-11057
value: HIGH

Trust: 1.0

NVD: CVE-2019-11057
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201905-774
value: HIGH

Trust: 0.6

VULHUB: VHN-142665
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-11057
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-142665
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-11057
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2019-11057
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-142665 // JVNDB: JVNDB-2019-004622 // CNNVD: CNNVD-201905-774 // NVD: CVE-2019-11057

PROBLEMTYPE DATA

problemtype:CWE-89

Trust: 1.9

sources: VULHUB: VHN-142665 // JVNDB: JVNDB-2019-004622 // NVD: CVE-2019-11057

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201905-774

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-201905-774

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-004622

PATCH
title:[Vtigercrm-developers] Vtiger CRM 7.1.0 (hotfix3) Releasedurl:http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-April/037964.html
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2019-004622

EXTERNAL IDS
db:NVDid:CVE-2019-11057
Trust: 2.5
db:JVNDBid:JVNDB-2019-004622
Trust: 0.8
db:CNNVDid:CNNVD-201905-774
Trust: 0.7
db:VULHUBid:VHN-142665
Trust: 0.1
sources:
            
            
            VULHUB: VHN-142665 // 
            
            
            
            JVNDB: JVNDB-2019-004622 // 
            
            
            
            CNNVD: CNNVD-201905-774 // 
            
            
            
            NVD: CVE-2019-11057

REFERENCES
url:https://cybersecurityworks.com/zerodays/cve-2019-11057-vtiger.html
Trust: 1.7
url:http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-april/037964.html
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2019-11057
Trust: 1.4
url:https://medium.com/%40mohnishdhage/sql-injection-vtiger-crm-v7-1-0-cve-2019-11057-245f84fc5c2c
Trust: 1.0
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-11057
Trust: 0.8
url:https://medium.com/@mohnishdhage/sql-injection-vtiger-crm-v7-1-0-cve-2019-11057-245f84fc5c2c
Trust: 0.7
sources:
            
            
            VULHUB: VHN-142665 // 
            
            
            
            JVNDB: JVNDB-2019-004622 // 
            
            
            
            CNNVD: CNNVD-201905-774 // 
            
            
            
            NVD: CVE-2019-11057

SOURCES
db:VULHUBid:VHN-142665
db:JVNDBid:JVNDB-2019-004622
db:CNNVDid:CNNVD-201905-774
db:NVDid:CVE-2019-11057

LAST UPDATE DATE
2024-11-23T22:58:40.158000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-142665date:2019-05-20T00:00:00
db:JVNDBid:JVNDB-2019-004622date:2019-06-05T00:00:00
db:CNNVDid:CNNVD-201905-774date:2020-10-30T00:00:00
db:NVDid:CVE-2019-11057date:2024-11-21T04:20:27.323

SOURCES RELEASE DATE
db:VULHUBid:VHN-142665date:2019-05-17T00:00:00
db:JVNDBid:JVNDB-2019-004622date:2019-06-05T00:00:00
db:CNNVDid:CNNVD-201905-774date:2019-05-17T00:00:00
db:NVDid:CVE-2019-11057date:2019-05-17T17:29:00.280