Sign-up

ID

VAR-201111-0152


CVE

CVE-2011-4559


TITLE

vTiger CRM Calendar Module SQL Injection Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2011-5753 // CNNVD: CNNVD-201111-458

DESCRIPTION

SQL injection vulnerability in the Calendar module in vTiger CRM 5.2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php. Vtiger CRM is a Web-based Sales Capability Automation (SFA)-based Customer Relationship Management System (CRM). vtiger CRM is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. vtiger CRM 5.2.1 is vulnerable; prior versions may also be affected. The management system provides functions such as management, collection, and analysis of customer information

Trust: 2.88

sources: NVD: CVE-2011-4559 // JVNDB: JVNDB-2011-003104 // CNVD: CNVD-2011-5753 // BID: 49948 // IVD: 7d7d2bf1-463f-11e9-a163-000c29342cb1 // IVD: 5e7e5136-2354-11e6-abef-000c29c66e3d // VULHUB: VHN-52504

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 1.0

sources: IVD: 7d7d2bf1-463f-11e9-a163-000c29342cb1 // IVD: 5e7e5136-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-5753

AFFECTED PRODUCTS

vendor:vtigermodel:crmscope:lteversion:5.2.1

Trust: 1.8

vendor:vtigermodel:crmscope:eqversion:2.0.1

Trust: 1.6

vendor:vtigermodel:crmscope:eqversion:4.0

Trust: 1.6

vendor:vtigermodel:crmscope:eqversion:2.1

Trust: 1.6

vendor:vtigermodel:crmscope:eqversion:3.0

Trust: 1.6

vendor:vtigermodel:crmscope:eqversion:2.0

Trust: 1.6

vendor:vtigermodel:crmscope:eqversion:4.0.1

Trust: 1.6

vendor:vtigermodel:crmscope:eqversion:3.2

Trust: 1.6

vendor:vtigermodel:crmscope:eqversion:1.0

Trust: 1.6

vendor:vtigermodel:crmscope:eqversion:4.2

Trust: 1.6

vendor:vtigermodel:crmscope:eqversion:5.0.4

Trust: 1.0

vendor:vtigermodel:crmscope:eqversion:5.0.2

Trust: 1.0

vendor:vtigermodel:crmscope:eqversion:5.1.0

Trust: 1.0

vendor:vtigermodel:crmscope:eqversion:5.2.0

Trust: 1.0

vendor:vtigermodel:crmscope:eqversion:4.2.4

Trust: 1.0

vendor:vtigermodel:crmscope:eqversion:5.0.3

Trust: 1.0

vendor:vtigermodel:crmscope:eqversion:5.2.1

Trust: 0.9

vendor:vtiger crmmodel: - scope:eqversion:3.0

Trust: 0.8

vendor:vtiger crmmodel: - scope:eqversion:4.2

Trust: 0.8

vendor:vtiger crmmodel: - scope:eqversion:5.0.4

Trust: 0.8

vendor:vtiger crmmodel: - scope:eqversion:5.1.0

Trust: 0.8

vendor:vtiger crmmodel: - scope:eqversion:1.0

Trust: 0.4

vendor:vtiger crmmodel: - scope:eqversion:2.0

Trust: 0.4

vendor:vtiger crmmodel: - scope:eqversion:2.0.1

Trust: 0.4

vendor:vtiger crmmodel: - scope:eqversion:2.1

Trust: 0.4

vendor:vtiger crmmodel: - scope:eqversion:3.2

Trust: 0.4

vendor:vtiger crmmodel: - scope:eqversion:4.0

Trust: 0.4

vendor:vtiger crmmodel: - scope:eqversion:4.0.1

Trust: 0.4

vendor:vtiger crmmodel: - scope:eqversion:4.2.4

Trust: 0.4

vendor:vtiger crmmodel: - scope:eqversion:5.0.2

Trust: 0.4

vendor:vtiger crmmodel: - scope:eqversion:5.0.3

Trust: 0.4

vendor:vtiger crmmodel: - scope:eqversion:5.2.0

Trust: 0.4

vendor:vtiger crmmodel: - scope:eqversion:*

Trust: 0.4

vendor:vtigermodel:crmscope:eqversion:5.2

Trust: 0.3

sources: IVD: 7d7d2bf1-463f-11e9-a163-000c29342cb1 // IVD: 5e7e5136-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-5753 // BID: 49948 // JVNDB: JVNDB-2011-003104 // CNNVD: CNNVD-201111-458 // NVD: CVE-2011-4559

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2011-4559
value: HIGH

Trust: 1.0

NVD: CVE-2011-4559
value: HIGH

Trust: 0.8

CNVD: CNVD-2011-5753
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201111-458
value: HIGH

Trust: 0.6

IVD: 7d7d2bf1-463f-11e9-a163-000c29342cb1
value: HIGH

Trust: 0.2

IVD: 5e7e5136-2354-11e6-abef-000c29c66e3d
value: HIGH

Trust: 0.2

VULHUB: VHN-52504
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2011-4559
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2011-5753
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 7d7d2bf1-463f-11e9-a163-000c29342cb1
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

IVD: 5e7e5136-2354-11e6-abef-000c29c66e3d
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-52504
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: IVD: 7d7d2bf1-463f-11e9-a163-000c29342cb1 // IVD: 5e7e5136-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-5753 // VULHUB: VHN-52504 // JVNDB: JVNDB-2011-003104 // CNNVD: CNNVD-201111-458 // NVD: CVE-2011-4559

PROBLEMTYPE DATA

problemtype:CWE-89

Trust: 1.9

sources: VULHUB: VHN-52504 // JVNDB: JVNDB-2011-003104 // NVD: CVE-2011-4559

THREAT TYPE

remote

Trust: 1.2

sources: CNNVD: CNNVD-201110-300 // CNNVD: CNNVD-201111-458

TYPE

SQL injection

Trust: 1.6

sources: IVD: 7d7d2bf1-463f-11e9-a163-000c29342cb1 // IVD: 5e7e5136-2354-11e6-abef-000c29c66e3d // CNNVD: CNNVD-201110-300 // CNNVD: CNNVD-201111-458

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2011-003104

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-52504

PATCH
title:Top Pageurl:http://www.vtigercrm.jp/home
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2011-003104

EXTERNAL IDS
db:NVDid:CVE-2011-4559
Trust: 3.8
db:BIDid:49948
Trust: 3.2
db:OSVDBid:76138
Trust: 1.7
db:CNNVDid:CNNVD-201111-458
Trust: 1.1
db:CNVDid:CNVD-2011-5753
Trust: 1.0
db:JVNDBid:JVNDB-2011-003104
Trust: 0.8
db:CNNVDid:CNNVD-201110-300
Trust: 0.6
db:XFid:70344
Trust: 0.6
db:FULLDISCid:20111005 VTIGER CRM 5.2.X <= BLIND SQL INJECTION VULNERABILITY
Trust: 0.6
db:BUGTRAQid:20111005 VTIGER CRM 5.2.X <= BLIND SQL INJECTION VULNERABILITY
Trust: 0.6
db:IVDid:7D7D2BF1-463F-11E9-A163-000C29342CB1
Trust: 0.2
db:IVDid:5E7E5136-2354-11E6-ABEF-000C29C66E3D
Trust: 0.2
db:EXPLOIT-DBid:36208
Trust: 0.1
db:VULHUBid:VHN-52504
Trust: 0.1
sources:
            
            
            IVD: 7d7d2bf1-463f-11e9-a163-000c29342cb1 // 
            
            
            
            IVD: 5e7e5136-2354-11e6-abef-000c29c66e3d // 
            
            
            
            CNVD: CNVD-2011-5753 // 
            
            
            
            VULHUB: VHN-52504 // 
            
            
            
            BID: 49948 // 
            
            
            
            JVNDB: JVNDB-2011-003104 // 
            
            
            
            CNNVD: CNNVD-201110-300 // 
            
            
            
            CNNVD: CNNVD-201111-458 // 
            
            
            
            NVD: CVE-2011-4559

REFERENCES
url:http://www.securityfocus.com/bid/49948
Trust: 2.9
url:http://yehg.net/lab/pr0js/advisories/%5bvtiger_5.2.1%5d_blind_sqlin
Trust: 2.0
url:http://seclists.org/fulldisclosure/2011/oct/224
Trust: 1.7
url:http://osvdb.org/76138
Trust: 1.7
url:http://www.securityfocus.com/archive/1/520006/100/0/threaded
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/70344
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-4559
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-4559
Trust: 0.8
url:http://xforce.iss.net/xforce/xfdb/70344
Trust: 0.6
url:http://www.securityfocus.com/archive/1/archive/1/520006/100/0/threaded
Trust: 0.6
url:http://www.vtiger.com/
Trust: 0.3
url:https://secure.wikimedia.org/wikipedia/en/wiki/vtiger_crm
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2011-5753 // 
            
            
            
            VULHUB: VHN-52504 // 
            
            
            
            BID: 49948 // 
            
            
            
            JVNDB: JVNDB-2011-003104 // 
            
            
            
            CNNVD: CNNVD-201110-300 // 
            
            
            
            CNNVD: CNNVD-201111-458 // 
            
            
            
            NVD: CVE-2011-4559

CREDITS
Aung Khant, YGN Ethical Hacker Group and Myanmar
Trust: 0.9
sources:
            
            
            BID: 49948 // 
            
            
            
            CNNVD: CNNVD-201110-300

SOURCES
db:IVDid:7d7d2bf1-463f-11e9-a163-000c29342cb1
db:IVDid:5e7e5136-2354-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2011-5753
db:VULHUBid:VHN-52504
db:BIDid:49948
db:JVNDBid:JVNDB-2011-003104
db:CNNVDid:CNNVD-201110-300
db:CNNVDid:CNNVD-201111-458
db:NVDid:CVE-2011-4559

LAST UPDATE DATE
2024-08-14T12:31:38.030000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2011-5753date:2011-11-30T00:00:00
db:VULHUBid:VHN-52504date:2018-10-09T00:00:00
db:BIDid:49948date:2011-12-05T18:07:00
db:JVNDBid:JVNDB-2011-003104date:2011-11-30T00:00:00
db:CNNVDid:CNNVD-201110-300date:2011-10-18T00:00:00
db:CNNVDid:CNNVD-201111-458date:2011-11-30T00:00:00
db:NVDid:CVE-2011-4559date:2018-10-09T19:33:29.373

SOURCES RELEASE DATE
db:IVDid:7d7d2bf1-463f-11e9-a163-000c29342cb1date:2011-11-30T00:00:00
db:IVDid:5e7e5136-2354-11e6-abef-000c29c66e3ddate:2011-11-30T00:00:00
db:CNVDid:CNVD-2011-5753date:2011-11-30T00:00:00
db:VULHUBid:VHN-52504date:2011-11-28T00:00:00
db:BIDid:49948date:2011-10-05T00:00:00
db:JVNDBid:JVNDB-2011-003104date:2011-11-30T00:00:00
db:CNNVDid:CNNVD-201110-300date:1900-01-01T00:00:00
db:CNNVDid:CNNVD-201111-458date:2011-11-30T00:00:00
db:NVDid:CVE-2011-4559date:2011-11-28T21:55:07.997