Summary
vTiger CRM PHP Code Injection Vulnerability
Impact
A remote attacker can write (or overwrite) files with any content, resulting in execution of arbitrary PHP code.
Solution
Apply the patch from the link below or upgrade to version 6.0 or later.
Insight
The installed vTiger CRM is prone to a PHP code injection vulnerability. The AddEmailAttachment SOAP method in /soap/vtigerolservice.php fails to properly validate input passed through the 'filedata' and 'filename' parameters which are used to write an 'email attachement' in the storage direcory.
Affected
vTiger CRM version 5.0.0 to 5.4.0.
Detection
Check the version.
References
Severity
Classification
-
CVE CVE-2013-3214 -
CVSS Base Score: 4.9
AV:N/AC:M/Au:S/C:P/I:P/A:N
Related Vulnerabilities
- APC PowerChute Network Shutdown 'security/applet' Cross Site Scripting Vulnerability
- Apache Struts2/XWork Remote Command Execution Vulnerability
- Apache Commons Daemon 'jsvc' Information Disclosure Vulnerability
- Apache Struts2 'XWork' Information Disclosure Vulnerability
- Apache Tomcat Directory Listing and File disclosure