ID

VAR-190001-0047


TITLE

Vtiger CRM Multiple local files contain vulnerabilities

Trust: 1.6

sources: IVD: 7d7dc832-463f-11e9-a2ed-000c29342cb1 // IVD: 2ca8a52c-1f7f-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-5802 // CNNVD: CNNVD-201111-260

DESCRIPTION

Vtiger CRM is a Web-based Sales Capability Automation (SFA)-based Customer Relationship Management System (CRM). Multiple local file inclusion vulnerabilities exist in Vtiger CRM 5.2.1 and earlier. Because the input provided to the user is not properly filtered, an attacker can exploit the vulnerability to obtain potentially sensitive information and execute any local scripts in the web server process, jeopardizing applications and computers, and possibly causing other attacks. This may allow the attacker to compromise the application and the computer; other attacks are also possible. Vtiger CRM 5.2.1 is vulnerable; prior versions may also be affected

Trust: 1.17

sources: CNVD: CNVD-2011-5802 // BID: 50613 // IVD: 7d7dc832-463f-11e9-a2ed-000c29342cb1 // IVD: 2ca8a52c-1f7f-11e6-abef-000c29c66e3d

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 1.0

sources: IVD: 7d7dc832-463f-11e9-a2ed-000c29342cb1 // IVD: 2ca8a52c-1f7f-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-5802

AFFECTED PRODUCTS

vendor:vtigermodel:crmscope:eqversion:5.2.1

Trust: 1.3

sources: IVD: 7d7dc832-463f-11e9-a2ed-000c29342cb1 // IVD: 2ca8a52c-1f7f-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-5802 // BID: 50613

CVSS

SEVERITY

CVSSV2

CVSSV3

CNVD: CNVD-2011-5802
value: MEDIUM

Trust: 0.6

IVD: 7d7dc832-463f-11e9-a2ed-000c29342cb1
value: MEDIUM

Trust: 0.2

IVD: 2ca8a52c-1f7f-11e6-abef-000c29c66e3d
value: MEDIUM

Trust: 0.2

CNVD: CNVD-2011-5802
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 7d7dc832-463f-11e9-a2ed-000c29342cb1
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

IVD: 2ca8a52c-1f7f-11e6-abef-000c29c66e3d
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

sources: IVD: 7d7dc832-463f-11e9-a2ed-000c29342cb1 // IVD: 2ca8a52c-1f7f-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-5802

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201111-260

TYPE

Input Validation Error

Trust: 0.3

sources: BID: 50613

PATCH

title:Vtiger CRM multiple local files contain vulnerable patchesurl:https://www.cnvd.org.cn/patchinfo/show/36925

Trust: 0.6

sources: CNVD: CNVD-2011-5802

EXTERNAL IDS

db:BIDid:50613

Trust: 1.5

db:CNVDid:CNVD-2011-5802

Trust: 1.0

db:CNNVDid:CNNVD-201111-260

Trust: 0.6

db:IVDid:7D7DC832-463F-11E9-A2ED-000C29342CB1

Trust: 0.2

db:IVDid:2CA8A52C-1F7F-11E6-ABEF-000C29C66E3D

Trust: 0.2

sources: IVD: 7d7dc832-463f-11e9-a2ed-000c29342cb1 // IVD: 2ca8a52c-1f7f-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-5802 // BID: 50613 // CNNVD: CNNVD-201111-260

REFERENCES

url:http://www.securityfocus.com/bid/50613/info

Trust: 0.6

url:http://www.securityfocus.com/bid/50613

Trust: 0.6

url:http://vtiger.com/blogs/?p=894

Trust: 0.3

url:https://www.htbridge.ch/advisory/local_file_inclusion_in_vtigercrm.html

Trust: 0.3

url:http://www.vtiger.com/

Trust: 0.3

sources: CNVD: CNVD-2011-5802 // BID: 50613 // CNNVD: CNNVD-201111-260

CREDITS

High-Tech Bridge SA Security Research Lab

Trust: 0.9

sources: BID: 50613 // CNNVD: CNNVD-201111-260

SOURCES

db:IVDid:7d7dc832-463f-11e9-a2ed-000c29342cb1
db:IVDid:2ca8a52c-1f7f-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2011-5802
db:BIDid:50613
db:CNNVDid:CNNVD-201111-260

LAST UPDATE DATE

2022-05-17T01:50:42.625000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2011-5802date:2011-11-15T00:00:00
db:BIDid:50613date:2011-11-09T00:00:00
db:CNNVDid:CNNVD-201111-260date:2011-11-15T00:00:00

SOURCES RELEASE DATE

db:IVDid:7d7dc832-463f-11e9-a2ed-000c29342cb1date:2011-11-15T00:00:00
db:IVDid:2ca8a52c-1f7f-11e6-abef-000c29c66e3ddate:2011-11-15T00:00:00
db:CNVDid:CNVD-2011-5802date:2011-11-15T00:00:00
db:BIDid:50613date:2011-11-09T00:00:00
db:CNNVDid:CNNVD-201111-260date:1900-01-01T00:00:00