Sign-up

ID

VAR-202002-0733


CVE

CVE-2015-6000


TITLE

Vtiger CRM Vulnerability in unlimited upload of dangerous types of files in

Trust: 0.8

sources: JVNDB: JVNDB-2015-008576

DESCRIPTION

Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.3.0 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in test/logo/. Vtiger CRM Exists in a vulnerability related to unlimited upload of dangerous types of files.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. vtiger CRM is prone to an arbitrary file-upload vulnerability. An attacker may leverage this issue to upload arbitrary files to the affected system; this can result in arbitrary code execution within the context of the affected system. vtiger CRM 6.3.0 and prior versions are vulnerable. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information. Vtiger CRM 6.3.0 and previous versions have a code problem vulnerability in the 'Settings_Vtiger_CompanyDetailsSave_Action' class of the modules/Settings/Vtiger/actions/CompanyDetailsSave.php file

Trust: 2.07

sources: NVD: CVE-2015-6000 // JVNDB: JVNDB-2015-008576 // BID: 97712 // VULHUB: VHN-83961 // VULMON: CVE-2015-6000

AFFECTED PRODUCTS

vendor:vtigermodel:crmscope:eqversion:6.3.0

Trust: 1.1

vendor:vtigermodel:crmscope:lteversion:6.3.0

Trust: 1.0

vendor:vtigermodel:crmscope:eqversion:4

Trust: 0.3

vendor:vtigermodel:crmscope:eqversion:5.0.2

Trust: 0.3

vendor:vtigermodel:crmscope:eqversion:5.2

Trust: 0.3

vendor:vtigermodel:crmscope:eqversion:5.4.0

Trust: 0.3

vendor:vtigermodel:crmscope:eqversion:4.2.4

Trust: 0.3

vendor:vtigermodel:crmscope:eqversion:5.0.4

Trust: 0.3

vendor:vtigermodel:crmscope:eqversion:3.0.1

Trust: 0.3

vendor:vtigermodel:crmscope:eqversion:4.2

Trust: 0.3

vendor:vtigermodel:crmscope:eqversion:5.0.1

Trust: 0.3

vendor:vtigermodel:crmscope:eqversion:5.1

Trust: 0.3

vendor:vtigermodel:crmscope:eqversion:5.0

Trust: 0.3

vendor:vtigermodel:crmscope:eqversion:5.0.3

Trust: 0.3

vendor:vtigermodel:crmscope:eqversion:6.0.0

Trust: 0.3

vendor:vtigermodel:crmscope:eqversion:4.0.1

Trust: 0.3

vendor:vtigermodel:crmscope:eqversion:5.2.0

Trust: 0.3

vendor:vtigermodel:crmscope:eqversion:3.2

Trust: 0.3

vendor:vtigermodel:crmscope:eqversion:5.3

Trust: 0.3

vendor:vtigermodel:crmscope:eqversion:6.0

Trust: 0.3

vendor:vtigermodel:crmscope:eqversion:5.2.1

Trust: 0.3

sources: BID: 97712 // JVNDB: JVNDB-2015-008576 // NVD: CVE-2015-6000

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-6000
value: HIGH

Trust: 1.0

NVD: JVNDB-2015-008576
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201704-1009
value: HIGH

Trust: 0.6

VULHUB: VHN-83961
value: MEDIUM

Trust: 0.1

VULMON: CVE-2015-6000
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-6000
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: JVNDB-2015-008576
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-83961
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2015-6000
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: JVNDB-2015-008576
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-83961 // VULMON: CVE-2015-6000 // JVNDB: JVNDB-2015-008576 // CNNVD: CNNVD-201704-1009 // NVD: CVE-2015-6000

PROBLEMTYPE DATA

problemtype:CWE-434

Trust: 1.9

sources: VULHUB: VHN-83961 // JVNDB: JVNDB-2015-008576 // NVD: CVE-2015-6000

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201704-1009

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201704-1009

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-008576

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-83961 // 
            
            
            
            VULMON: CVE-2015-6000

PATCH
title:Top Pageurl:https://www.vtiger.com/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2015-008576

EXTERNAL IDS
db:NVDid:CVE-2015-6000
Trust: 2.9
db:EXPLOIT-DBid:38345
Trust: 1.8
db:JVNDBid:JVNDB-2015-008576
Trust: 0.8
db:CNNVDid:CNNVD-201704-1009
Trust: 0.7
db:BIDid:97712
Trust: 0.5
db:PACKETSTORMid:133755
Trust: 0.1
db:PACKETSTORMid:148753
Trust: 0.1
db:SEEBUGid:SSVID-89669
Trust: 0.1
db:VULHUBid:VHN-83961
Trust: 0.1
db:VULMONid:CVE-2015-6000
Trust: 0.1
sources:
            
            
            VULHUB: VHN-83961 // 
            
            
            
            VULMON: CVE-2015-6000 // 
            
            
            
            BID: 97712 // 
            
            
            
            JVNDB: JVNDB-2015-008576 // 
            
            
            
            CNNVD: CNNVD-201704-1009 // 
            
            
            
            NVD: CVE-2015-6000

REFERENCES
url:http://b.fl7.de/2015/09/vtiger-crm-authenticated-rce-cve-2015-6000.html
Trust: 2.6
url:https://www.exploit-db.com/exploits/38345/
Trust: 1.9
url:http://www.securityfocus.com//archive/1/536563/100/0/threaded
Trust: 1.8
url:https://nvd.nist.gov/vuln/detail/cve-2015-6000
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-6000
Trust: 0.8
url:https://www.vtiger.com/
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/434.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://www.securityfocus.com/bid/97712
Trust: 0.1
url:https://www.rapid7.com/db/modules/exploit/multi/http/vtiger_logo_upload_exec
Trust: 0.1
sources:
            
            
            VULHUB: VHN-83961 // 
            
            
            
            VULMON: CVE-2015-6000 // 
            
            
            
            BID: 97712 // 
            
            
            
            JVNDB: JVNDB-2015-008576 // 
            
            
            
            CNNVD: CNNVD-201704-1009 // 
            
            
            
            NVD: CVE-2015-6000

CREDITS
Benjamin Daniel Mussler
Trust: 0.9
sources:
            
            
            BID: 97712 // 
            
            
            
            CNNVD: CNNVD-201704-1009

SOURCES
db:VULHUBid:VHN-83961
db:VULMONid:CVE-2015-6000
db:BIDid:97712
db:JVNDBid:JVNDB-2015-008576
db:CNNVDid:CNNVD-201704-1009
db:NVDid:CVE-2015-6000

LAST UPDATE DATE
2024-11-23T21:41:31.232000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-83961date:2020-02-10T00:00:00
db:VULMONid:CVE-2015-6000date:2020-02-10T00:00:00
db:BIDid:97712date:2017-04-18T21:08:00
db:JVNDBid:JVNDB-2015-008576date:2020-02-25T00:00:00
db:CNNVDid:CNNVD-201704-1009date:2020-06-02T00:00:00
db:NVDid:CVE-2015-6000date:2024-11-21T02:34:16.470

SOURCES RELEASE DATE
db:VULHUBid:VHN-83961date:2020-02-06T00:00:00
db:VULMONid:CVE-2015-6000date:2020-02-06T00:00:00
db:BIDid:97712date:2015-09-28T00:00:00
db:JVNDBid:JVNDB-2015-008576date:2020-02-25T00:00:00
db:CNNVDid:CNNVD-201704-1009date:2015-09-28T00:00:00
db:NVDid:CVE-2015-6000date:2020-02-06T14:15:10.597