Summary
This host is installed with Vtiger CRM and is prone to multiple sql injection vulnerabilities
Impact
Successful exploitation will allow attacker to execute arbitrary HTML and script code, bypass certain security restrictions, manipulate certain data, and compromise a vulnerable system.
Impact Level: Application
Solution
Apply the patch from the below link,
https://www.vtiger.com/products/crm/540/VtigerCRM540_Security_Patch.zip
*****
NOTE: Ignore this warning, if above mentioned patch is manually applied.
*****
Insight
Multiple flaws are due to an,
- Input passed via multiple parameters to various SOAP methods is not properly sanitised before being used in a SQL query.
- Error within the 'validateSession()' function and multiple unspecified errors.
Affected
Vtiger CRM version 5.0.0 through 5.4.0
Detection
Send a crafted HTTP GET request and check whether it responds with error message.
References
Severity
Classification
-
CVE CVE-2013-3213 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- 3Com OfficeConnect VPN Firewall Default Password Security Bypass Vulnerability
- Adobe ColdFusion Authentication Bypass Vulnerability
- AV Arcade 'ava_code' Cookie Parameter SQL Injection Vulnerability
- AlienVault Open Source SIEM (OSSIM) 'timestamp' Parameter Directory Traversal Vulnerability
- Allegro RomPager `Misfortune Cookie` Vulnerability