This host is installed with Vtiger CRM and is prone to arbitrary file disclosure vulnerability

Successful exploitation will allow an authenticated remote attacker to gain access to arbitrary files. Impact Level: Application

Apply the patch Vtiger CRM 6.0.0 Security patch 1 from the below link, http://softlayer-sng.dl.sourceforge.net/project/vtigercrm/vtiger%20CRM%206.0.0/Add-ons/vtigercrm-600-security-patch1.zip or Upgrade to the latest version, For updates refer to https://www.vtiger.com ***** NOTE: Ignore this warning, if above mentioned patch is manually applied. *****

Flaw is due to the /kcfinder/browse.php script not properly sanitizing user input, specifically path traversal style attacks (e.g. '../') supplied via the 'file' parameter.

Vtiger CRM version 6.0.0 and prior

Get the installed version with the help of detect NVT and check the version is vulnerable or not.

• http://packetstormsecurity.com/files/125685
• http://secunia.com/advisories/57149
• http://www.osvdb.com/104392
• https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-1222

---

Updated on 2015-03-25