Published: 28/01/2020 Updated: 31/01/2020
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 800
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

vtiger CRM 5.4.0 and previous versions contain a PHP Code Injection Vulnerability in 'vtigerolservice.php'.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

vtiger vtiger crm


## # This module requires Metasploit: http//metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## require 'msf/core' require 'rexml/document' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include REXML include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper ...
--------------------------------------------------------------------------------- vtiger CRM <= 540 (customerportalphp) Two Local File Inclusion Vulnerabilities --------------------------------------------------------------------------------- [-] Software Link: wwwvtigercom/ [-] Affected Versions: [1] All versions from 510 to ...

Metasploit Modules

vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload

vTiger CRM allows a user to bypass authentication when requesting SOAP services. In addition, arbitrary file upload is possible through the AddEmailAttachment SOAP service. By combining both vulnerabilities an attacker can upload and execute PHP code. This module has been tested successfully on vTiger CRM v5.4.0 over Ubuntu 10.04 and Windows 2003 SP2.

msf > use exploit/multi/http/vtiger_soap_upload
      msf exploit(vtiger_soap_upload) > show targets
      msf exploit(vtiger_soap_upload) > set TARGET <target-id>
      msf exploit(vtiger_soap_upload) > show options
            ...show and set options...
      msf exploit(vtiger_soap_upload) > exploit

Github Repositories


CVE-2013-3214 vTiger 540 Arbitrary File Upload to Remote Code Execution