Details of VAR-200909-0477

ID

VAR-200909-0477

CVE

CVE-2009-3247

TITLE

vtiger CRM of Activities Module cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2009-006314

DESCRIPTION

Cross-site scripting (XSS) vulnerability in the Activities module in vtiger CRM 5.0.4 allows remote attackers to inject arbitrary web script or HTML via the action parameter to phprint.php. NOTE: the query_string vector is already covered by CVE-2008-3101.3. vtiger CRM is prone to multiple input-validation vulnerabilities: - A remote PHP code-execution vulnerability - Multiple local file-include vulnerabilities - A cross-site scripting vulnerability - Multiple cross-site request-forgery vulnerabilities Attackers can exploit these issues to execute arbitrary script code within the context of the webserver, perform unauthorized actions, compromise the affected application, steal cookie-based authentication credentials, or obtain information that could aid in further attacks. The issues affect vtiger CRM 5.0.4; other versions may also be affected

Trust: 2.07

sources: NVD: CVE-2009-3247 // JVNDB: JVNDB-2009-006314 // BID: 36062 // VULHUB: VHN-40693 // VULMON: CVE-2009-3247

AFFECTED PRODUCTS

vendor:

vtiger

model:

crm

scope:

version:

5.0.4

Trust: 2.7

sources: BID: 36062 // JVNDB: JVNDB-2009-006314 // CNNVD: CNNVD-200909-359 // NVD: CVE-2009-3247

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2009-3247
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2009-3247
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-200909-359
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-40693
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2009-3247
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2009-3247
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-40693
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-40693 // VULMON: CVE-2009-3247 // JVNDB: JVNDB-2009-006314 // CNNVD: CNNVD-200909-359 // NVD: CVE-2009-3247

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-40693 // JVNDB: JVNDB-2009-006314 // NVD: CVE-2009-3247

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200909-359

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-200909-359

CONFIGURATIONS

sources: JVNDB: JVNDB-2009-006314

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-40693 // VULMON: CVE-2009-3247

PATCH

title:

vtiger CRM

url:

https://www.vtiger.com/crm/

Trust: 0.8

sources: JVNDB: JVNDB-2009-006314

EXTERNAL IDS

db:	NVD	id:	CVE-2009-3247	Trust: 2.9
db:	BID	id:	36062	Trust: 2.1
db:	EXPLOIT-DB	id:	9450	Trust: 1.8
db:	SECUNIA	id:	36309	Trust: 1.8
db:	OSVDB	id:	57240	Trust: 1.8
db:	VUPEN	id:	ADV-2009-2319	Trust: 1.8
db:	JVNDB	id:	JVNDB-2009-006314	Trust: 0.8
db:	CNNVD	id:	CNNVD-200909-359	Trust: 0.7
db:	MILW0RM	id:	9450	Trust: 0.6
db:	VULHUB	id:	VHN-40693	Trust: 0.1
db:	VULMON	id:	CVE-2009-3247	Trust: 0.1

sources: VULHUB: VHN-40693 // VULMON: CVE-2009-3247 // BID: 36062 // JVNDB: JVNDB-2009-006314 // CNNVD: CNNVD-200909-359 // NVD: CVE-2009-3247

REFERENCES

url:	http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt	Trust: 2.1
url:	http://www.securityfocus.com/bid/36062	Trust: 1.9
url:	http://www.ush.it/2009/08/18/vtiger-crm-504-multiple-vulnerabilities/	Trust: 1.8
url:	http://www.osvdb.org/57240	Trust: 1.8
url:	http://secunia.com/advisories/36309	Trust: 1.8
url:	http://www.vupen.com/english/advisories/2009/2319	Trust: 1.8
url:	http://www.exploit-db.com/exploits/9450	Trust: 1.2
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-3247	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-3247	Trust: 0.8
url:	http://www.milw0rm.com/exploits/9450	Trust: 0.6
url:	http://www.vtiger.com/	Trust: 0.3
url:	/archive/1/505834	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/79.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://www.exploit-db.com/exploits/9450/	Trust: 0.1

sources: VULHUB: VHN-40693 // VULMON: CVE-2009-3247 // BID: 36062 // JVNDB: JVNDB-2009-006314 // CNNVD: CNNVD-200909-359 // NVD: CVE-2009-3247

CREDITS

Giovanni "evilaliv3" Pellerano, Antonio "s4tan" Parata, Francesco "ascii" Ongaro

Trust: 0.9

sources: BID: 36062 // CNNVD: CNNVD-200909-359

SOURCES

db:	VULHUB	id:	VHN-40693
db:	VULMON	id:	CVE-2009-3247
db:	BID	id:	36062
db:	JVNDB	id:	JVNDB-2009-006314
db:	CNNVD	id:	CNNVD-200909-359
db:	NVD	id:	CVE-2009-3247

LAST UPDATE DATE

2025-04-10T23:00:24.026000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-40693	date:	2017-09-19T00:00:00
db:	VULMON	id:	CVE-2009-3247	date:	2017-09-19T00:00:00
db:	BID	id:	36062	date:	2015-04-13T21:08:00
db:	JVNDB	id:	JVNDB-2009-006314	date:	2012-12-20T00:00:00
db:	CNNVD	id:	CNNVD-200909-359	date:	2009-09-21T00:00:00
db:	NVD	id:	CVE-2009-3247	date:	2025-04-09T00:30:58.490

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-40693	date:	2009-09-18T00:00:00
db:	VULMON	id:	CVE-2009-3247	date:	2009-09-18T00:00:00
db:	BID	id:	36062	date:	2009-08-18T00:00:00
db:	JVNDB	id:	JVNDB-2009-006314	date:	2012-12-20T00:00:00
db:	CNNVD	id:	CNNVD-200909-359	date:	2009-09-18T00:00:00
db:	NVD	id:	CVE-2009-3247	date:	2009-09-18T20:30:00.217