Details of VAR-190001-0859

ID

VAR-190001-0859

TITLE

Vtiger CRM \342\200\230graph.php\342\200\231 authentication bypass vulnerability

Trust: 0.6

sources: CNVD: CNVD-2011-5585

DESCRIPTION

Vtiger CRM is a Web-based Sales Capability Automation (SFA)-based Customer Relationship Management System (CRM). There is a certificate bypass vulnerability in vtiger CRM. An attacker could exploit the vulnerability to bypass the authentication process and download database backups to modify configuration settings. The vulnerability exists in vtiger CRM version 5.2.1 and other versions may be affected

Trust: 0.99

sources: CNVD: CNVD-2011-5585 // BID: 51192 // IVD: f23c8d54-1f79-11e6-abef-000c29c66e3d

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: f23c8d54-1f79-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-5585

AFFECTED PRODUCTS

vendor:	vtiger	model:	crm	scope:	lte	version:	<=5.2.x	Trust: 0.8
vendor:	vtiger	model:	crm	scope:	eq	version:	5.2.1	Trust: 0.3
vendor:	vtiger	model:	crm	scope:	eq	version:	5.2	Trust: 0.3
vendor:	vtiger	model:	crm	scope:	eq	version:	5.0.4	Trust: 0.3
vendor:	vtiger	model:	crm	scope:	eq	version:	5.0.3	Trust: 0.3
vendor:	vtiger	model:	crm	scope:	eq	version:	4.2.4	Trust: 0.3
vendor:	vtiger	model:	crm	scope:	eq	version:	4.2	Trust: 0.3
vendor:	vtiger	model:	crm rc	scope:	eq	version:	5.0.4	Trust: 0.3
vendor:	vtiger	model:	crm	scope:	ne	version:	5.3	Trust: 0.3

sources: IVD: f23c8d54-1f79-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-5585 // BID: 51192

CVSS

SEVERITY

CVSSV2

CVSSV3

CNVD:	CNVD-2011-5585
value:	HIGH
Trust: 0.6
IVD:	f23c8d54-1f79-11e6-abef-000c29c66e3d
value:	HIGH
Trust: 0.2

CNVD:	CNVD-2011-5585
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	f23c8d54-1f79-11e6-abef-000c29c66e3d
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

sources: IVD: f23c8d54-1f79-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-5585

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201112-464

TYPE

Access Validation Error

Trust: 0.3

sources: BID: 51192

PATCH

title:

Vtiger CRM \342\200\230graph.php\342\200\231 authentication bypass vulnerability patch

url:

https://www.cnvd.org.cn/patchinfo/show/35883

Trust: 0.6

sources: CNVD: CNVD-2011-5585

EXTERNAL IDS

db:	BID	id:	51192	Trust: 1.5
db:	CNVD	id:	CNVD-2011-5585	Trust: 0.8
db:	CNNVD	id:	CNNVD-201112-464	Trust: 0.6
db:	IVD	id:	F23C8D54-1F79-11E6-ABEF-000C29C66E3D	Trust: 0.2

sources: IVD: f23c8d54-1f79-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-5585 // BID: 51192 // CNNVD: CNNVD-201112-464

REFERENCES

url:	http://www.securityfocus.com/bid/51192	Trust: 1.2
url:	http://www.vtiger.com/	Trust: 0.3
url:	http://francoisharvey.ca/2011/12/advisory-meds-2011-01-vtigercrm-anonymous-access-to-setting-module/	Trust: 0.3

sources: CNVD: CNVD-2011-5585 // BID: 51192 // CNNVD: CNNVD-201112-464

CREDITS

Francois Harvey

Trust: 0.9

sources: BID: 51192 // CNNVD: CNNVD-201112-464

SOURCES

db:	IVD	id:	f23c8d54-1f79-11e6-abef-000c29c66e3d
db:	CNVD	id:	CNVD-2011-5585
db:	BID	id:	51192
db:	CNNVD	id:	CNNVD-201112-464

LAST UPDATE DATE

2022-05-17T02:06:55.835000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2011-5585	date:	2011-12-30T00:00:00
db:	BID	id:	51192	date:	2011-12-28T00:00:00
db:	CNNVD	id:	CNNVD-201112-464	date:	2011-12-30T00:00:00

SOURCES RELEASE DATE

db:	IVD	id:	f23c8d54-1f79-11e6-abef-000c29c66e3d	date:	2011-12-30T00:00:00
db:	CNVD	id:	CNVD-2011-5585	date:	2011-12-30T00:00:00
db:	BID	id:	51192	date:	2011-12-28T00:00:00
db:	CNNVD	id:	CNNVD-201112-464	date:	1900-01-01T00:00:00