ID

VAR-201111-0152


CVE

CVE-2011-4559


TITLE

vTiger CRM Calendar Module SQL Injection Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2011-5753 // CNNVD: CNNVD-201111-458

DESCRIPTION

SQL injection vulnerability in the Calendar module in vTiger CRM 5.2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php. Vtiger CRM is a Web-based Sales Capability Automation (SFA)-based Customer Relationship Management System (CRM). vtiger CRM is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. vtiger CRM 5.2.1 is vulnerable; prior versions may also be affected. The management system provides functions such as management, collection, and analysis of customer information

Trust: 2.88

sources: NVD: CVE-2011-4559 // JVNDB: JVNDB-2011-003104 // CNVD: CNVD-2011-5753 // BID: 49948 // IVD: 7d7d2bf1-463f-11e9-a163-000c29342cb1 // IVD: 5e7e5136-2354-11e6-abef-000c29c66e3d // VULHUB: VHN-52504

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 1.0

sources: IVD: 7d7d2bf1-463f-11e9-a163-000c29342cb1 // IVD: 5e7e5136-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-5753

AFFECTED PRODUCTS

vendor:vtigermodel:crmscope:lteversion:5.2.1

Trust: 1.8

vendor:vtigermodel:crmscope:eqversion:2.0.1

Trust: 1.6

vendor:vtigermodel:crmscope:eqversion:4.0

Trust: 1.6

vendor:vtigermodel:crmscope:eqversion:2.1

Trust: 1.6

vendor:vtigermodel:crmscope:eqversion:3.0

Trust: 1.6

vendor:vtigermodel:crmscope:eqversion:2.0

Trust: 1.6

vendor:vtigermodel:crmscope:eqversion:4.0.1

Trust: 1.6

vendor:vtigermodel:crmscope:eqversion:3.2

Trust: 1.6

vendor:vtigermodel:crmscope:eqversion:1.0

Trust: 1.6

vendor:vtigermodel:crmscope:eqversion:4.2

Trust: 1.6

vendor:vtigermodel:crmscope:eqversion:5.0.4

Trust: 1.0

vendor:vtigermodel:crmscope:eqversion:5.0.2

Trust: 1.0

vendor:vtigermodel:crmscope:eqversion:5.1.0

Trust: 1.0

vendor:vtigermodel:crmscope:eqversion:5.2.0

Trust: 1.0

vendor:vtigermodel:crmscope:eqversion:4.2.4

Trust: 1.0

vendor:vtigermodel:crmscope:eqversion:5.0.3

Trust: 1.0

vendor:vtigermodel:crmscope:eqversion:5.2.1

Trust: 0.9

vendor:vtiger crmmodel: - scope:eqversion:3.0

Trust: 0.8

vendor:vtiger crmmodel: - scope:eqversion:4.2

Trust: 0.8

vendor:vtiger crmmodel: - scope:eqversion:5.0.4

Trust: 0.8

vendor:vtiger crmmodel: - scope:eqversion:5.1.0

Trust: 0.8

vendor:vtiger crmmodel: - scope:eqversion:1.0

Trust: 0.4

vendor:vtiger crmmodel: - scope:eqversion:2.0

Trust: 0.4

vendor:vtiger crmmodel: - scope:eqversion:2.0.1

Trust: 0.4

vendor:vtiger crmmodel: - scope:eqversion:2.1

Trust: 0.4

vendor:vtiger crmmodel: - scope:eqversion:3.2

Trust: 0.4

vendor:vtiger crmmodel: - scope:eqversion:4.0

Trust: 0.4

vendor:vtiger crmmodel: - scope:eqversion:4.0.1

Trust: 0.4

vendor:vtiger crmmodel: - scope:eqversion:4.2.4

Trust: 0.4

vendor:vtiger crmmodel: - scope:eqversion:5.0.2

Trust: 0.4

vendor:vtiger crmmodel: - scope:eqversion:5.0.3

Trust: 0.4

vendor:vtiger crmmodel: - scope:eqversion:5.2.0

Trust: 0.4

vendor:vtiger crmmodel: - scope:eqversion:*

Trust: 0.4

vendor:vtigermodel:crmscope:eqversion:5.2

Trust: 0.3

sources: IVD: 7d7d2bf1-463f-11e9-a163-000c29342cb1 // IVD: 5e7e5136-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-5753 // BID: 49948 // JVNDB: JVNDB-2011-003104 // CNNVD: CNNVD-201111-458 // NVD: CVE-2011-4559

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2011-4559
value: HIGH

Trust: 1.0

NVD: CVE-2011-4559
value: HIGH

Trust: 0.8

CNVD: CNVD-2011-5753
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201111-458
value: HIGH

Trust: 0.6

IVD: 7d7d2bf1-463f-11e9-a163-000c29342cb1
value: HIGH

Trust: 0.2

IVD: 5e7e5136-2354-11e6-abef-000c29c66e3d
value: HIGH

Trust: 0.2

VULHUB: VHN-52504
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2011-4559
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2011-5753
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 7d7d2bf1-463f-11e9-a163-000c29342cb1
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

IVD: 5e7e5136-2354-11e6-abef-000c29c66e3d
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-52504
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: IVD: 7d7d2bf1-463f-11e9-a163-000c29342cb1 // IVD: 5e7e5136-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-5753 // VULHUB: VHN-52504 // JVNDB: JVNDB-2011-003104 // CNNVD: CNNVD-201111-458 // NVD: CVE-2011-4559

PROBLEMTYPE DATA

problemtype:CWE-89

Trust: 1.9

sources: VULHUB: VHN-52504 // JVNDB: JVNDB-2011-003104 // NVD: CVE-2011-4559

THREAT TYPE

remote

Trust: 1.2

sources: CNNVD: CNNVD-201110-300 // CNNVD: CNNVD-201111-458

TYPE

SQL injection

Trust: 1.6

sources: IVD: 7d7d2bf1-463f-11e9-a163-000c29342cb1 // IVD: 5e7e5136-2354-11e6-abef-000c29c66e3d // CNNVD: CNNVD-201110-300 // CNNVD: CNNVD-201111-458

CONFIGURATIONS

sources: JVNDB: JVNDB-2011-003104

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-52504

PATCH

title:Top Pageurl:http://www.vtigercrm.jp/home

Trust: 0.8

sources: JVNDB: JVNDB-2011-003104

EXTERNAL IDS

db:NVDid:CVE-2011-4559

Trust: 3.8

db:BIDid:49948

Trust: 3.2

db:OSVDBid:76138

Trust: 1.7

db:CNNVDid:CNNVD-201111-458

Trust: 1.1

db:CNVDid:CNVD-2011-5753

Trust: 1.0

db:JVNDBid:JVNDB-2011-003104

Trust: 0.8

db:CNNVDid:CNNVD-201110-300

Trust: 0.6

db:XFid:70344

Trust: 0.6

db:FULLDISCid:20111005 VTIGER CRM 5.2.X <= BLIND SQL INJECTION VULNERABILITY

Trust: 0.6

db:BUGTRAQid:20111005 VTIGER CRM 5.2.X <= BLIND SQL INJECTION VULNERABILITY

Trust: 0.6

db:IVDid:7D7D2BF1-463F-11E9-A163-000C29342CB1

Trust: 0.2

db:IVDid:5E7E5136-2354-11E6-ABEF-000C29C66E3D

Trust: 0.2

db:EXPLOIT-DBid:36208

Trust: 0.1

db:VULHUBid:VHN-52504

Trust: 0.1

sources: IVD: 7d7d2bf1-463f-11e9-a163-000c29342cb1 // IVD: 5e7e5136-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-5753 // VULHUB: VHN-52504 // BID: 49948 // JVNDB: JVNDB-2011-003104 // CNNVD: CNNVD-201110-300 // CNNVD: CNNVD-201111-458 // NVD: CVE-2011-4559

REFERENCES

url:http://www.securityfocus.com/bid/49948

Trust: 2.9

url:http://yehg.net/lab/pr0js/advisories/%5bvtiger_5.2.1%5d_blind_sqlin

Trust: 2.0

url:http://seclists.org/fulldisclosure/2011/oct/224

Trust: 1.7

url:http://osvdb.org/76138

Trust: 1.7

url:http://www.securityfocus.com/archive/1/520006/100/0/threaded

Trust: 1.1

url:https://exchange.xforce.ibmcloud.com/vulnerabilities/70344

Trust: 1.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-4559

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-4559

Trust: 0.8

url:http://xforce.iss.net/xforce/xfdb/70344

Trust: 0.6

url:http://www.securityfocus.com/archive/1/archive/1/520006/100/0/threaded

Trust: 0.6

url:http://www.vtiger.com/

Trust: 0.3

url:https://secure.wikimedia.org/wikipedia/en/wiki/vtiger_crm

Trust: 0.3

sources: CNVD: CNVD-2011-5753 // VULHUB: VHN-52504 // BID: 49948 // JVNDB: JVNDB-2011-003104 // CNNVD: CNNVD-201110-300 // CNNVD: CNNVD-201111-458 // NVD: CVE-2011-4559

CREDITS

Aung Khant, YGN Ethical Hacker Group and Myanmar

Trust: 0.9

sources: BID: 49948 // CNNVD: CNNVD-201110-300

SOURCES

db:IVDid:7d7d2bf1-463f-11e9-a163-000c29342cb1
db:IVDid:5e7e5136-2354-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2011-5753
db:VULHUBid:VHN-52504
db:BIDid:49948
db:JVNDBid:JVNDB-2011-003104
db:CNNVDid:CNNVD-201110-300
db:CNNVDid:CNNVD-201111-458
db:NVDid:CVE-2011-4559

LAST UPDATE DATE

2024-08-14T12:31:38.030000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2011-5753date:2011-11-30T00:00:00
db:VULHUBid:VHN-52504date:2018-10-09T00:00:00
db:BIDid:49948date:2011-12-05T18:07:00
db:JVNDBid:JVNDB-2011-003104date:2011-11-30T00:00:00
db:CNNVDid:CNNVD-201110-300date:2011-10-18T00:00:00
db:CNNVDid:CNNVD-201111-458date:2011-11-30T00:00:00
db:NVDid:CVE-2011-4559date:2018-10-09T19:33:29.373

SOURCES RELEASE DATE

db:IVDid:7d7d2bf1-463f-11e9-a163-000c29342cb1date:2011-11-30T00:00:00
db:IVDid:5e7e5136-2354-11e6-abef-000c29c66e3ddate:2011-11-30T00:00:00
db:CNVDid:CNVD-2011-5753date:2011-11-30T00:00:00
db:VULHUBid:VHN-52504date:2011-11-28T00:00:00
db:BIDid:49948date:2011-10-05T00:00:00
db:JVNDBid:JVNDB-2011-003104date:2011-11-30T00:00:00
db:CNNVDid:CNNVD-201110-300date:1900-01-01T00:00:00
db:CNNVDid:CNNVD-201111-458date:2011-11-30T00:00:00
db:NVDid:CVE-2011-4559date:2011-11-28T21:55:07.997