Details of VAR-202101-0284

ID

VAR-202101-0284

CVE

CVE-2020-19362

TITLE

Vtiger CRM Cross-site Scripting Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2020-015546

DESCRIPTION

Reflected XSS in Vtiger CRM v7.2.0 in vtigercrm/index.php? through the view parameter can result in an attacker performing malicious actions to users who open a maliciously crafted link or third-party web page. Vtiger CRM Contains a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. Vtiger CRM is a customer relationship management system (CRM) developed by Vtiger in the United States based on SugarCRM. The management system provides functions such as management, collection, and analysis of customer information. Vtiger CRM v7.2.0 has a cross-site scripting vulnerability, which stems from the lack of correct verification of client data in the WEB application. An attacker can use this vulnerability to execute client code

Trust: 2.34

sources: NVD: CVE-2020-19362 // JVNDB: JVNDB-2020-015546 // CNVD: CNVD-2021-05457 // VULHUB: VHN-172733 // VULMON: CVE-2020-19362

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-05457

AFFECTED PRODUCTS

vendor:	vtiger	model:	crm	scope:	eq	version:	7.2.0	Trust: 2.4
vendor:	vtiger	model:	crm	scope:	eq	version:	-	Trust: 0.8

sources: CNVD: CNVD-2021-05457 // JVNDB: JVNDB-2020-015546 // NVD: CVE-2020-19362

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-19362
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2020-19362
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2021-05457
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202101-1540
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-172733
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2020-19362
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-19362
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2021-05457
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-172733
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-19362
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	CVE-2020-19362
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-05457 // VULHUB: VHN-172733 // VULMON: CVE-2020-19362 // JVNDB: JVNDB-2020-015546 // CNNVD: CNNVD-202101-1540 // NVD: CVE-2020-19362

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.1
problemtype:	Cross-site scripting (CWE-79) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-172733 // JVNDB: JVNDB-2020-015546 // NVD: CVE-2020-19362

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202101-1540

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202101-1540

PATCH

title:	Vtiger Open Source Edition 7.4.0	url:	https://www.vtiger.com/open-source-crm/download-open-source/	Trust: 0.8
title:	Vtiger-CRM-Vulnerabilities	url:	https://github.com/EmreOvunc/Vtiger-CRM-Vulnerabilities	Trust: 0.1

sources: VULMON: CVE-2020-19362 // JVNDB: JVNDB-2020-015546

EXTERNAL IDS

db:	NVD	id:	CVE-2020-19362	Trust: 3.2
db:	JVNDB	id:	JVNDB-2020-015546	Trust: 0.8
db:	CNVD	id:	CNVD-2021-05457	Trust: 0.6
db:	CNNVD	id:	CNNVD-202101-1540	Trust: 0.6
db:	VULHUB	id:	VHN-172733	Trust: 0.1
db:	VULMON	id:	CVE-2020-19362	Trust: 0.1

sources: CNVD: CNVD-2021-05457 // VULHUB: VHN-172733 // VULMON: CVE-2020-19362 // JVNDB: JVNDB-2020-015546 // CNNVD: CNNVD-202101-1540 // NVD: CVE-2020-19362

REFERENCES

url:	https://github.com/emreovunc/vtiger-crm-vulnerabilities/	Trust: 2.6
url:	https://emreovunc.com/blog/en/vtiger_crm_xss_03.png	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2020-19362	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/79.html	Trust: 0.1
url:	https://github.com/emreovunc/vtiger-crm-vulnerabilities	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2021-05457 // VULHUB: VHN-172733 // VULMON: CVE-2020-19362 // JVNDB: JVNDB-2020-015546 // CNNVD: CNNVD-202101-1540 // NVD: CVE-2020-19362

SOURCES

db:	CNVD	id:	CNVD-2021-05457
db:	VULHUB	id:	VHN-172733
db:	VULMON	id:	CVE-2020-19362
db:	JVNDB	id:	JVNDB-2020-015546
db:	CNNVD	id:	CNNVD-202101-1540
db:	NVD	id:	CVE-2020-19362

LAST UPDATE DATE

2024-11-23T21:35:00.497000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-05457	date:	2021-02-03T00:00:00
db:	VULHUB	id:	VHN-172733	date:	2021-01-22T00:00:00
db:	VULMON	id:	CVE-2020-19362	date:	2021-01-22T00:00:00
db:	JVNDB	id:	JVNDB-2020-015546	date:	2021-10-04T08:24:00
db:	CNNVD	id:	CNNVD-202101-1540	date:	2021-01-25T00:00:00
db:	NVD	id:	CVE-2020-19362	date:	2024-11-21T05:09:09.227

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-05457	date:	2021-01-24T00:00:00
db:	VULHUB	id:	VHN-172733	date:	2021-01-20T00:00:00
db:	VULMON	id:	CVE-2020-19362	date:	2021-01-20T00:00:00
db:	JVNDB	id:	JVNDB-2020-015546	date:	2021-10-04T00:00:00
db:	CNNVD	id:	CNNVD-202101-1540	date:	2021-01-20T00:00:00
db:	NVD	id:	CVE-2020-19362	date:	2021-01-20T01:15:13.333