Summary
This host is installed with vTiger CRM and is prone to xss and sql injection vulnerabilities.
Impact
Successful exploitation will allow attacker to execute arbitrary HTML or script code and inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
Impact Level: Application
Solution
Apply the patch from the below link or upgrade to version 6.0 or later, For patch refer to http://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%205.4.0/Core%20Product For updates refer to http://www.vtiger.com
*****
NOTE: Ignore this warning, if above mentioned patch is manually applied.
*****
Insight
Flaw is due to the /index.php script not properly sanitizing user-supplied input to the 'onlyforuser' parameter and savetemplate.php, deletetask.php, edittask.php, savetask.php and saveworkflow.php scripts are not properly sanitizing the input passed via the 'return_url' parameter.
Affected
vTiger CRM version 5.4.0 and prior.
Detection
Get the installed version with the help of detect NVT and check the version is vulnerable or not.
References
Severity
Classification
-
CVE CVE-2013-5091 -
CVSS Base Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P
Related Vulnerabilities
- AdaptCMS 'init.php' Remote File Include Vulnerability
- Apache mod_proxy_ajp Information Disclosure Vulnerability
- Apache Tomcat RemoteFilterValve Security Bypass Vulnerability
- @Mail 'MailType' Parameter Cross Site Scripting Vulnerability
- Apache ActiveMQ 'admin/queueBrowse' Cross Site Scripting Vulnerability