Published: 18/09/2009 Updated: 19/09/2017

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

VMScore: 760

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Multiple directory traversal vulnerabilities in vtiger CRM 5.0.4 allow remote malicious users to include and execute arbitrary local files via a .. (dot dot) in (1) the module parameter to graph.php; or the (2) module or (3) file parameter to include/Ajax/CommonAjax.php, reachable through modules/Campaigns/CampaignsAjax.php, modules/SalesOrder/SalesOrderAjax.php, modules/System/SystemAjax.php, modules/Products/ProductsAjax.php, modules/uploads/uploadsAjax.php, modules/Dashboard/DashboardAjax.php, modules/Potentials/PotentialsAjax.php, modules/Notes/NotesAjax.php, modules/Faq/FaqAjax.php, modules/Quotes/QuotesAjax.php, modules/Utilities/UtilitiesAjax.php, modules/Calendar/ActivityAjax.php, modules/Calendar/CalendarAjax.php, modules/PurchaseOrder/PurchaseOrderAjax.php, modules/HelpDesk/HelpDeskAjax.php, modules/Invoice/InvoiceAjax.php, modules/Accounts/AccountsAjax.php, modules/Reports/ReportsAjax.php, modules/Contacts/ContactsAjax.php, and modules/Portal/PortalAjax.php; and allow remote authenticated users to include and execute arbitrary local files via a .. (dot dot) in the step parameter in an Import action to the (4) Accounts, (5) Contacts, (6) HelpDesk, (7) Leads, (8) Potentials, (9) Products, or (10) Vendors module, reachable through index.php and related to modules/Import/index.php and multiple Import.php files.

Vulnerable Product	Search on Vulmon	Subscribe to Product
vtiger vtiger crm 5.0.4

Vtiger CRM version 504 pre-authentication local file inclusion exploit ...

Vtiger CRM 504 Multiple Vulnerabilities Name Multiple Vulnerabilities in Vtiger CRM Systems Affected Vtiger CRM 504 and possibly earlier versions Severity Medium Impact (CVSSv2) Medium 6/10, vector: (AV:N/AC:M/Au:S/C:P/I:P/A:P) Vendor wwwvtigercrmcom Advisory wwwushit/team/ush/hack-vt ...

#!/usr/bin/python # ~INFORMATION: # # Exploit Title: Vtiger CRM 504 Pre-Auth Local File Inclusion Exploit # # Google Dork: "The honest Open Source CRM" "vtiger CRM 504" # # Date: 5/3/2011 # # CVE: CVE-2009-3249 # # Windows link: bitly/fiOYCL # # Linux link: bitly/hluzLf # # Tested on: Windows ...

CWE-22 http://www.vupen.com/english/advisories/2009/2319 http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt http://www.osvdb.org/57239 http://secunia.com/advisories/36309 http://www.securityfocus.com/bid/36062 http://www.ush.it/2009/08/18/vtiger-crm-504-multiple-vulnerabilities/http://marc.info/?l=bugtraq&m=125060676515670&w=2 http://securityreason.com/securityalert/8118 http://www.exploit-db.com/exploits/9450 https://nvd.nist.gov https://packetstormsecurity.com/files/98990/Vtiger-CRM-5.0.4-Local-File-Inclusion.html https://www.exploit-db.com/exploits/9450/

CVE-2009-3249

Vulnerability Summary

Exploits

References

Vulmon Search

About

Products

Connect