Sign-up

ID

VAR-201112-0325


CVE

CVE-2011-4670


TITLE

vTiger CRM Cross-Site Scripting Vulnerability

Trust: 1.6

sources: IVD: 5a5bacb6-2354-11e6-abef-000c29c66e3d // IVD: 7d7e8b80-463f-11e9-be72-000c29342cb1 // CNVD: CNVD-2011-5742 // CNNVD: CNNVD-201112-013

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 5.2.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) viewname parameter in a CalendarAjax action, (2) activity_mode parameter in a DetailView action, (3) contact_id and (4) parent_id parameters in an EditView action, (5) day, (6) month, (7) subtab, (8) view, and (9) viewOption parameters in the index action, and (10) start parameter in the ListView action to the Calendar module; (11) return_action and (12) return_module parameters in the EditView action, and (13) query parameter in an index action to the Campaigns module; (14) return_url and (15) workflow_id parameters in an editworkflow action to the com_vtiger_workflow module; (16) display_view parameter in an index action to the Dashboard module; (17) closingdate_end, (18) closingdate_start, (19) date_closed, (20) owner, (21) leadsource, (22) sales_stage, and (23) type parameters in a ListView action to the Potentials module; (24) folderid parameter in a SaveandRun action to the Reports module; (25) returnaction and (26) groupId parameters in a createnewgroup action, (27) mode and (28) parent parameters in a createrole action, (29) src_module in a ModuleManager action, (30) mode and (31) profile_id parameters in a profilePrivileges action, and (32) roleid parameter in a RoleDetailView to the Settings module; and (33) action parameter to the Home module and (34) module parameter to phprint.php. vTiger CRM Contains a cross-site scripting vulnerability.By a third party, through the following parameters, Web Script or HTML May be inserted. Vtiger CRM is a Web-based Sales Capability Automation (SFA)-based Customer Relationship Management System (CRM). Multiple cross-site scripting vulnerabilities existed in vTiger CRM 5.2.1 and earlier. The vulnerability stems from the fact that the data provided to the user has not been properly checked. A remote attacker could exploit the vulnerability to execute arbitrary script code in an unknown user's browser in the context of the affected site, stealing a cookie-based authentication certificate and initiating other attacks, or injecting arbitrary web scripts or HTML through multiple parameters, such as: viewname And the activity_mode parameter. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. vtiger CRM 5.2.1 is vulnerable; other versions may also be affected. The management system provides functions such as management, collection, and analysis of customer information

Trust: 2.88

sources: NVD: CVE-2011-4670 // JVNDB: JVNDB-2011-003188 // CNVD: CNVD-2011-5742 // BID: 49927 // IVD: 5a5bacb6-2354-11e6-abef-000c29c66e3d // IVD: 7d7e8b80-463f-11e9-be72-000c29342cb1 // VULHUB: VHN-52615

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 1.0

sources: IVD: 5a5bacb6-2354-11e6-abef-000c29c66e3d // IVD: 7d7e8b80-463f-11e9-be72-000c29342cb1 // CNVD: CNVD-2011-5742

AFFECTED PRODUCTS

vendor:vtigermodel:crmscope:lteversion:5.2.1

Trust: 1.8

vendor:vtigermodel:crmscope:eqversion:5.2.1

Trust: 1.5

vendor:vtiger crmmodel: - scope:eqversion:*

Trust: 0.4

sources: IVD: 5a5bacb6-2354-11e6-abef-000c29c66e3d // IVD: 7d7e8b80-463f-11e9-be72-000c29342cb1 // CNVD: CNVD-2011-5742 // BID: 49927 // JVNDB: JVNDB-2011-003188 // CNNVD: CNNVD-201112-013 // NVD: CVE-2011-4670

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2011-4670
value: MEDIUM

Trust: 1.0

NVD: CVE-2011-4670
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2011-5742
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201112-013
value: MEDIUM

Trust: 0.6

IVD: 5a5bacb6-2354-11e6-abef-000c29c66e3d
value: MEDIUM

Trust: 0.2

IVD: 7d7e8b80-463f-11e9-be72-000c29342cb1
value: MEDIUM

Trust: 0.2

VULHUB: VHN-52615
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2011-4670
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2011-5742
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 5a5bacb6-2354-11e6-abef-000c29c66e3d
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

IVD: 7d7e8b80-463f-11e9-be72-000c29342cb1
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-52615
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: IVD: 5a5bacb6-2354-11e6-abef-000c29c66e3d // IVD: 7d7e8b80-463f-11e9-be72-000c29342cb1 // CNVD: CNVD-2011-5742 // VULHUB: VHN-52615 // JVNDB: JVNDB-2011-003188 // CNNVD: CNNVD-201112-013 // NVD: CVE-2011-4670

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-52615 // JVNDB: JVNDB-2011-003188 // NVD: CVE-2011-4670

THREAT TYPE

remote

Trust: 1.2

sources: CNNVD: CNNVD-201110-359 // CNNVD: CNNVD-201112-013

TYPE

XSS

Trust: 1.2

sources: CNNVD: CNNVD-201110-359 // CNNVD: CNNVD-201112-013

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2011-003188

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-52615

PATCH
title:vtigerCRM.jpurl:http://www.vtigercrm.jp/home
Trust: 0.8
title:Top Pageurl:http://www.vtiger.com/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2011-003188

EXTERNAL IDS
db:NVDid:CVE-2011-4670
Trust: 3.8
db:BIDid:49927
Trust: 3.2
db:OSVDBid:76006
Trust: 1.7
db:OSVDBid:76005
Trust: 1.7
db:CNNVDid:CNNVD-201112-013
Trust: 1.1
db:EXPLOIT-DBid:36203
Trust: 1.1
db:EXPLOIT-DBid:36204
Trust: 1.1
db:CNVDid:CNVD-2011-5742
Trust: 1.0
db:JVNDBid:JVNDB-2011-003188
Trust: 0.8
db:CNNVDid:CNNVD-201110-359
Trust: 0.6
db:BUGTRAQid:20111004 VTIGER CRM 5.2.X <= MULTIPLE CROSS SITE SCRIPTING VULNERABILITIES
Trust: 0.6
db:XFid:70306
Trust: 0.6
db:FULLDISCid:20111004 VTIGER CRM 5.2.X <= MULTIPLE CROSS SITE SCRIPTING VULNERABILITIES
Trust: 0.6
db:IVDid:5A5BACB6-2354-11E6-ABEF-000C29C66E3D
Trust: 0.2
db:IVDid:7D7E8B80-463F-11E9-BE72-000C29342CB1
Trust: 0.2
db:VULHUBid:VHN-52615
Trust: 0.1
sources:
            
            
            IVD: 5a5bacb6-2354-11e6-abef-000c29c66e3d // 
            
            
            
            IVD: 7d7e8b80-463f-11e9-be72-000c29342cb1 // 
            
            
            
            CNVD: CNVD-2011-5742 // 
            
            
            
            VULHUB: VHN-52615 // 
            
            
            
            BID: 49927 // 
            
            
            
            JVNDB: JVNDB-2011-003188 // 
            
            
            
            CNNVD: CNNVD-201110-359 // 
            
            
            
            CNNVD: CNNVD-201112-013 // 
            
            
            
            NVD: CVE-2011-4670

REFERENCES
url:http://www.securityfocus.com/bid/49927
Trust: 2.9
url:http://seclists.org/fulldisclosure/2011/oct/154
Trust: 2.0
url:http://yehg.net/lab/pr0js/advisories/%5bvtiger_5.2.1%5d_xss
Trust: 1.7
url:http://osvdb.org/76005
Trust: 1.7
url:http://osvdb.org/76006
Trust: 1.7
url:http://www.securityfocus.com/archive/1/519993/100/0/threaded
Trust: 1.1
url:https://www.exploit-db.com/exploits/36203/
Trust: 1.1
url:https://www.exploit-db.com/exploits/36204/
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/70306
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-4670
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-4670
Trust: 0.8
url:http://xforce.iss.net/xforce/xfdb/70306
Trust: 0.6
url:http://www.securityfocus.com/archive/1/archive/1/519993/100/0/threaded
Trust: 0.6
url:www.vtiger.de
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2011-5742 // 
            
            
            
            VULHUB: VHN-52615 // 
            
            
            
            BID: 49927 // 
            
            
            
            JVNDB: JVNDB-2011-003188 // 
            
            
            
            CNNVD: CNNVD-201110-359 // 
            
            
            
            CNNVD: CNNVD-201112-013 // 
            
            
            
            NVD: CVE-2011-4670

CREDITS
Aung Khant
Trust: 0.9
sources:
            
            
            BID: 49927 // 
            
            
            
            CNNVD: CNNVD-201110-359

SOURCES
db:IVDid:5a5bacb6-2354-11e6-abef-000c29c66e3d
db:IVDid:7d7e8b80-463f-11e9-be72-000c29342cb1
db:CNVDid:CNVD-2011-5742
db:VULHUBid:VHN-52615
db:BIDid:49927
db:JVNDBid:JVNDB-2011-003188
db:CNNVDid:CNNVD-201110-359
db:CNNVDid:CNNVD-201112-013
db:NVDid:CVE-2011-4670

LAST UPDATE DATE
2024-08-14T14:47:03.014000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2011-5742date:2011-12-05T00:00:00
db:VULHUBid:VHN-52615date:2018-10-09T00:00:00
db:BIDid:49927date:2011-12-06T19:37:00
db:JVNDBid:JVNDB-2011-003188date:2011-12-08T00:00:00
db:CNNVDid:CNNVD-201110-359date:2011-10-18T00:00:00
db:CNNVDid:CNNVD-201112-013date:2011-12-05T00:00:00
db:NVDid:CVE-2011-4670date:2018-10-09T19:33:31.467

SOURCES RELEASE DATE
db:IVDid:5a5bacb6-2354-11e6-abef-000c29c66e3ddate:2011-12-05T00:00:00
db:IVDid:7d7e8b80-463f-11e9-be72-000c29342cb1date:2011-12-05T00:00:00
db:CNVDid:CNVD-2011-5742date:2011-12-05T00:00:00
db:VULHUBid:VHN-52615date:2011-12-02T00:00:00
db:BIDid:49927date:2011-10-04T00:00:00
db:JVNDBid:JVNDB-2011-003188date:2011-12-05T00:00:00
db:CNNVDid:CNNVD-201110-359date:1900-01-01T00:00:00
db:CNNVDid:CNNVD-201112-013date:2011-12-05T00:00:00
db:NVDid:CVE-2011-4670date:2011-12-02T16:55:02.420