Vtiger 'return_url' Parameter Multiple Cross Site Scripting Vulnerabilities Network Vulnerability

Summary

This host is installed with Vtiger CRM and is prone to multiple xss vulnerabilities

Impact

Successful exploitation will allow attacker to execute arbitrary HTML and script code in a user's browser session in the context of an affected site Impact Level: Application

Solution

Upgrade to the latest version of Vtiger 6.0 or later, For updates refer to https://www.vtiger.com

Insight

Flaws are due to improper sanitation of user supplied input passed via 'return_url' parameter to savetemplate.php and unspecified vectors to deletetask.php, edittask.php, savetask.php, or saveworkflow.php.

Affected

Vtiger CRM version 5.4.0

Detection

Send a crafted HTTP GET request and check whether it responds with error message.

References

http://packetstormsecurity.com/files/124402
http://seclists.org/bugtraq/2013/Dec/51
http://www.osvdb.com/100897
http://xforce.iss.net/xforce/xfdb/89662

Updated on 2015-03-25

Severity

Classification

CVE CVE-2013-7326

CVSS	Base Score: 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Related Vulnerabilities

Adobe ColdFusion Multiple Full Path Disclosure Vulnerabilities
AMSI 'file' Parameter Directory Traversal Vulnerability
Apache Tomcat Information Disclosure Vulnerability
An Image Gallery Multiple Cross-Site Scripting Vulnerability
Adobe BlazeDS XML and XML External Entity Injection Vulnerabilities

Take action and discover your vulnerabilities