Details of VAR-190001-0047

ID

VAR-190001-0047

TITLE

Vtiger CRM Multiple local files contain vulnerabilities

Trust: 1.6

sources: IVD: 7d7dc832-463f-11e9-a2ed-000c29342cb1 // IVD: 2ca8a52c-1f7f-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-5802 // CNNVD: CNNVD-201111-260

DESCRIPTION

Vtiger CRM is a Web-based Sales Capability Automation (SFA)-based Customer Relationship Management System (CRM). Multiple local file inclusion vulnerabilities exist in Vtiger CRM 5.2.1 and earlier. Because the input provided to the user is not properly filtered, an attacker can exploit the vulnerability to obtain potentially sensitive information and execute any local scripts in the web server process, jeopardizing applications and computers, and possibly causing other attacks. This may allow the attacker to compromise the application and the computer; other attacks are also possible. Vtiger CRM 5.2.1 is vulnerable; prior versions may also be affected

Trust: 1.17

sources: CNVD: CNVD-2011-5802 // BID: 50613 // IVD: 7d7dc832-463f-11e9-a2ed-000c29342cb1 // IVD: 2ca8a52c-1f7f-11e6-abef-000c29c66e3d

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 1.0

sources: IVD: 7d7dc832-463f-11e9-a2ed-000c29342cb1 // IVD: 2ca8a52c-1f7f-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-5802

AFFECTED PRODUCTS

vendor:

vtiger

model:

crm

scope:

version:

5.2.1

Trust: 1.3

sources: IVD: 7d7dc832-463f-11e9-a2ed-000c29342cb1 // IVD: 2ca8a52c-1f7f-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-5802 // BID: 50613

CVSS

SEVERITY

CVSSV2

CVSSV3

CNVD:	CNVD-2011-5802
value:	MEDIUM
Trust: 0.6
IVD:	7d7dc832-463f-11e9-a2ed-000c29342cb1
value:	MEDIUM
Trust: 0.2
IVD:	2ca8a52c-1f7f-11e6-abef-000c29c66e3d
value:	MEDIUM
Trust: 0.2

CNVD:	CNVD-2011-5802
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	7d7dc832-463f-11e9-a2ed-000c29342cb1
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
IVD:	2ca8a52c-1f7f-11e6-abef-000c29c66e3d
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

sources: IVD: 7d7dc832-463f-11e9-a2ed-000c29342cb1 // IVD: 2ca8a52c-1f7f-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-5802

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201111-260

TYPE

Input Validation Error

Trust: 0.3

sources: BID: 50613

PATCH

title:

Vtiger CRM multiple local files contain vulnerable patches

url:

https://www.cnvd.org.cn/patchinfo/show/36925

Trust: 0.6

sources: CNVD: CNVD-2011-5802

EXTERNAL IDS

db:	BID	id:	50613	Trust: 1.5
db:	CNVD	id:	CNVD-2011-5802	Trust: 1.0
db:	CNNVD	id:	CNNVD-201111-260	Trust: 0.6
db:	IVD	id:	7D7DC832-463F-11E9-A2ED-000C29342CB1	Trust: 0.2
db:	IVD	id:	2CA8A52C-1F7F-11E6-ABEF-000C29C66E3D	Trust: 0.2

sources: IVD: 7d7dc832-463f-11e9-a2ed-000c29342cb1 // IVD: 2ca8a52c-1f7f-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-5802 // BID: 50613 // CNNVD: CNNVD-201111-260

REFERENCES

url:	http://www.securityfocus.com/bid/50613/info	Trust: 0.6
url:	http://www.securityfocus.com/bid/50613	Trust: 0.6
url:	http://vtiger.com/blogs/?p=894	Trust: 0.3
url:	https://www.htbridge.ch/advisory/local_file_inclusion_in_vtigercrm.html	Trust: 0.3
url:	http://www.vtiger.com/	Trust: 0.3

sources: CNVD: CNVD-2011-5802 // BID: 50613 // CNNVD: CNNVD-201111-260

CREDITS

High-Tech Bridge SA Security Research Lab

Trust: 0.9

sources: BID: 50613 // CNNVD: CNNVD-201111-260

SOURCES

db:	IVD	id:	7d7dc832-463f-11e9-a2ed-000c29342cb1
db:	IVD	id:	2ca8a52c-1f7f-11e6-abef-000c29c66e3d
db:	CNVD	id:	CNVD-2011-5802
db:	BID	id:	50613
db:	CNNVD	id:	CNNVD-201111-260

LAST UPDATE DATE

2022-05-17T01:50:42.625000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2011-5802	date:	2011-11-15T00:00:00
db:	BID	id:	50613	date:	2011-11-09T00:00:00
db:	CNNVD	id:	CNNVD-201111-260	date:	2011-11-15T00:00:00

SOURCES RELEASE DATE

db:	IVD	id:	7d7dc832-463f-11e9-a2ed-000c29342cb1	date:	2011-11-15T00:00:00
db:	IVD	id:	2ca8a52c-1f7f-11e6-abef-000c29c66e3d	date:	2011-11-15T00:00:00
db:	CNVD	id:	CNVD-2011-5802	date:	2011-11-15T00:00:00
db:	BID	id:	50613	date:	2011-11-09T00:00:00
db:	CNNVD	id:	CNNVD-201111-260	date:	1900-01-01T00:00:00