VTiger CRM PHP Code Injection Vulnerability Network Vulnerability

Summary

vTiger CRM PHP Code Injection Vulnerability

Impact

A remote attacker can write (or overwrite) files with any content, resulting in execution of arbitrary PHP code.

Solution

Apply the patch from the link below or upgrade to version 6.0 or later.

Insight

The installed vTiger CRM is prone to a PHP code injection vulnerability. The AddEmailAttachment SOAP method in /soap/vtigerolservice.php fails to properly validate input passed through the 'filedata' and 'filename' parameters which are used to write an 'email attachement' in the storage direcory.

Affected

vTiger CRM version 5.0.0 to 5.4.0.

Detection

Check the version.

References

http://karmainsecurity.com/KIS-2013-07
http://www.osvdb.com/95902
https://www.vtiger.com/blogs/?p=1467

Updated on 2015-03-25

Severity

Classification

CVE CVE-2013-3214
CVSS Base Score: 4.9
AV:N/AC:M/Au:S/C:P/I:P/A:N

Related Vulnerabilities

aeNovo Database Content Disclosure Vulnerability
Apache Solr XML External Entity(XXE) Vulnerability-01 Jan-14
Andy's PHP Knowledgebase Multiple Cross-Site Scripting Vulnerabilities
APC PowerChute Network Shutdown 'security/applet' Cross Site Scripting Vulnerability
Advantech WebAccess Multiple Stack Based Buffer Overflow Vulnerabilities

Take action and discover your vulnerabilities