Sign-up

ID

VAR-200909-0478


CVE

CVE-2009-3248


TITLE

vtiger CRM of RSS Module vulnerable to cross-site request forgery

Trust: 0.8

sources: JVNDB: JVNDB-2009-006315

DESCRIPTION

Cross-site request forgery (CSRF) vulnerability in the RSS module in vtiger CRM 5.0.4 allows remote attackers to hijack the authentication of Admin users for requests that modify the news feed system via the rssurl parameter in a Save action to index.php

Trust: 1.71

sources: NVD: CVE-2009-3248 // JVNDB: JVNDB-2009-006315 // VULHUB: VHN-40694

AFFECTED PRODUCTS

vendor:vtigermodel:crmscope:eqversion:5.0.4

Trust: 2.4

sources: JVNDB: JVNDB-2009-006315 // CNNVD: CNNVD-200909-360 // NVD: CVE-2009-3248

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2009-3248
value: MEDIUM

Trust: 1.0

NVD: CVE-2009-3248
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-200909-360
value: MEDIUM

Trust: 0.6

VULHUB: VHN-40694
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2009-3248
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-40694
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-40694 // JVNDB: JVNDB-2009-006315 // CNNVD: CNNVD-200909-360 // NVD: CVE-2009-3248

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.9

sources: VULHUB: VHN-40694 // JVNDB: JVNDB-2009-006315 // NVD: CVE-2009-3248

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200909-360

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-200909-360

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2009-006315

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-40694

PATCH
title:vtiger CRMurl:https://www.vtiger.com/crm/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2009-006315

EXTERNAL IDS
db:NVDid:CVE-2009-3248
Trust: 2.5
db:OSVDBid:57238
Trust: 1.7
db:EXPLOIT-DBid:9450
Trust: 1.7
db:BIDid:36062
Trust: 1.7
db:VUPENid:ADV-2009-2319
Trust: 1.7
db:SECUNIAid:36309
Trust: 1.7
db:JVNDBid:JVNDB-2009-006315
Trust: 0.8
db:CNNVDid:CNNVD-200909-360
Trust: 0.7
db:MILW0RMid:9450
Trust: 0.6
db:BUGTRAQid:20090818 VTIGER CRM 5.0.4 MULTIPLE VULNERABILITIES
Trust: 0.6
db:VULHUBid:VHN-40694
Trust: 0.1
sources:
            
            
            VULHUB: VHN-40694 // 
            
            
            
            JVNDB: JVNDB-2009-006315 // 
            
            
            
            CNNVD: CNNVD-200909-360 // 
            
            
            
            NVD: CVE-2009-3248

REFERENCES
url:http://www.securityfocus.com/bid/36062
Trust: 1.7
url:http://www.ush.it/2009/08/18/vtiger-crm-504-multiple-vulnerabilities/
Trust: 1.7
url:http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt
Trust: 1.7
url:http://www.osvdb.org/57238
Trust: 1.7
url:http://secunia.com/advisories/36309
Trust: 1.7
url:http://www.vupen.com/english/advisories/2009/2319
Trust: 1.7
url:http://marc.info/?l=bugtraq&m=125060676515670&w=2
Trust: 1.6
url:http://www.exploit-db.com/exploits/9450
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-3248
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-3248
Trust: 0.8
url:http://www.milw0rm.com/exploits/9450
Trust: 0.6
url:http://marc.info/?l=bugtraq&m=125060676515670&w=2
Trust: 0.1
sources:
            
            
            VULHUB: VHN-40694 // 
            
            
            
            JVNDB: JVNDB-2009-006315 // 
            
            
            
            CNNVD: CNNVD-200909-360 // 
            
            
            
            NVD: CVE-2009-3248

CREDITS
Giovanni "evilaliv3" Pellerano, Antonio "s4tan" Parata, Francesco "ascii" Ongaro
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200909-360

SOURCES
db:VULHUBid:VHN-40694
db:JVNDBid:JVNDB-2009-006315
db:CNNVDid:CNNVD-200909-360
db:NVDid:CVE-2009-3248

LAST UPDATE DATE
2025-04-10T23:00:24.156000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-40694date:2017-09-19T00:00:00
db:JVNDBid:JVNDB-2009-006315date:2012-12-20T00:00:00
db:CNNVDid:CNNVD-200909-360date:2009-09-21T00:00:00
db:NVDid:CVE-2009-3248date:2025-04-09T00:30:58.490

SOURCES RELEASE DATE
db:VULHUBid:VHN-40694date:2009-09-18T00:00:00
db:JVNDBid:JVNDB-2009-006315date:2012-12-20T00:00:00
db:CNNVDid:CNNVD-200909-360date:2009-09-18T00:00:00
db:NVDid:CVE-2009-3248date:2009-09-18T20:30:00.250