Published: 18/09/2009 Updated: 19/09/2017
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
VMScore: 760
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

Multiple directory traversal vulnerabilities in vtiger CRM 5.0.4 allow remote malicious users to include and execute arbitrary local files via a .. (dot dot) in (1) the module parameter to graph.php; or the (2) module or (3) file parameter to include/Ajax/CommonAjax.php, reachable through modules/Campaigns/CampaignsAjax.php, modules/SalesOrder/SalesOrderAjax.php, modules/System/SystemAjax.php, modules/Products/ProductsAjax.php, modules/uploads/uploadsAjax.php, modules/Dashboard/DashboardAjax.php, modules/Potentials/PotentialsAjax.php, modules/Notes/NotesAjax.php, modules/Faq/FaqAjax.php, modules/Quotes/QuotesAjax.php, modules/Utilities/UtilitiesAjax.php, modules/Calendar/ActivityAjax.php, modules/Calendar/CalendarAjax.php, modules/PurchaseOrder/PurchaseOrderAjax.php, modules/HelpDesk/HelpDeskAjax.php, modules/Invoice/InvoiceAjax.php, modules/Accounts/AccountsAjax.php, modules/Reports/ReportsAjax.php, modules/Contacts/ContactsAjax.php, and modules/Portal/PortalAjax.php; and allow remote authenticated users to include and execute arbitrary local files via a .. (dot dot) in the step parameter in an Import action to the (4) Accounts, (5) Contacts, (6) HelpDesk, (7) Leads, (8) Potentials, (9) Products, or (10) Vendors module, reachable through index.php and related to modules/Import/index.php and multiple Import.php files.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.
Vulnerable Product Search on Vulmon Subscribe to Product

vtiger vtiger crm 5.0.4


#!/usr/bin/python # ~INFORMATION: # # Exploit Title: Vtiger CRM 504 Pre-Auth Local File Inclusion Exploit # # Google Dork: "The honest Open Source CRM" "vtiger CRM 504" # # Date: 5/3/2011 # # CVE: CVE-2009-3249 # # Windows link: bitly/fiOYCL # # Linux link: bitly/hluzLf # # Tested on: Windows ...
Vtiger CRM 504 Multiple Vulnerabilities Name Multiple Vulnerabilities in Vtiger CRM Systems Affected Vtiger CRM 504 and possibly earlier versions Severity Medium Impact (CVSSv2) Medium 6/10, vector: (AV:N/AC:M/Au:S/C:P/I:P/A:P) Vendor wwwvtigercrmcom Advisory wwwushit/team/ush/hack-vt ...

Mailing Lists

Vtiger CRM version 504 pre-authentication local file inclusion exploit ...