5
CVSSv2

CVE-2014-2268

Published: 16/11/2014 Updated: 20/11/2017
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
VMScore: 545
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Summary

views/Index.php in the Install module in vTiger 6.0 before Security Patch 2 does not properly restrict access, which allows remote malicious users to re-install the application via a request that sets the X-Requested-With HTTP header, as demonstrated by executing arbitrary PHP code via the db_name parameter.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.
Vulnerable Product Search on Vulmon Subscribe to Product

vtiger vtiger crm 1.0

vtiger vtiger crm 2.0

vtiger vtiger crm 2.0.1

vtiger vtiger crm 2.1

vtiger vtiger crm 5.0.2

vtiger vtiger crm 5.0.3

vtiger vtiger crm 5.0.4

vtiger vtiger crm 5.1.0

vtiger vtiger crm 4

vtiger vtiger crm 4.0

vtiger vtiger crm 5.0.1

vtiger vtiger crm 5.3.0

vtiger vtiger crm 5.2.0

vtiger vtiger crm 4.2

vtiger vtiger crm 6.0.0

vtiger vtiger crm 5.4.0

vtiger vtiger crm 3.0

vtiger vtiger crm 5.0.0

vtiger vtiger crm 3.2

vtiger vtiger crm 4.2.4

vtiger vtiger crm 5.2.1

vtiger vtiger crm 4.0.1

Exploits

## # This module requires Metasploit: http//metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote # Application database configuration is overwritten Rank = ManualRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {} ...

Mailing Lists

This Metasploit module exploits an arbitrary command execution vulnerability in the Vtiger install script This Metasploit module is set to ManualRanking due to this module overwriting the target database configuration, which may result in a broken web app, and you may not be able to get a session again ...

Metasploit Modules

Vtiger Install Unauthenticated Remote Command Execution

This module exploits an arbitrary command execution vulnerability in the Vtiger install script. This module is set to ManualRanking due to this module overwriting the target database configuration, which may result in a broken web app, and you may not be able to get a session again.

msf > use exploit/multi/http/vtiger_install_rce
      msf exploit(vtiger_install_rce) > show targets
            ...targets...
      msf exploit(vtiger_install_rce) > set TARGET <target-id>
      msf exploit(vtiger_install_rce) > show options
            ...show and set options...
      msf exploit(vtiger_install_rce) > exploit