Multiple vulnerability found on vTiger CRM 5.2.x. vTiger CRM is vulnerable to Blind SQL Injection, Remote Code Execution, Multiple Cross Site Scripting
OVERVIEW:-
The vTiger CRM 5.2.1 and lower versions are vulnerable to Blind SQL Injection. No fixed version has been released as of 2011-10-05.
BACKGROUND:-
vtiger CRM is a free, full-featured, 100% Open Source CRM software ideal for small and medium businesses, with low-cost product support available to production users that need reliable support. vtiger CRM is a widely used product with thousands of users in dozens of countries. It has a vibrant community of users driving the product forward, and contributing to it's development. Over 2 million copies of vtiger CRM have been downloaded so far. It was launched as a fork of version 1.0 of the SugarCRM project launched on December 31st, 2004.
VULNERABILITY DESCRIPTION:-
The vTiger CRM 5.2.1 and lower versions are vulnerable to Blind SQL Injection. No fixed version has been released as of 2011-10-05.
BACKGROUND:-
vtiger CRM is a free, full-featured, 100% Open Source CRM software ideal for small and medium businesses, with low-cost product support available to production users that need reliable support. vtiger CRM is a widely used product with thousands of users in dozens of countries. It has a vibrant community of users driving the product forward, and contributing to it's development. Over 2 million copies of vtiger CRM have been downloaded so far. It was launched as a fork of version 1.0 of the SugarCRM project launched on December 31st, 2004.
VULNERABILITY DESCRIPTION:-
- Blind SQL Injection:-
The "onlyforuser" parameter was not properly sanitized, which allows attacker to conduct Blind SQL Injection Attack. This could an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
- Remote Code Execution:-
vTiger uses the vulnerable version of phpmailer class file located at /cron/class.phpmailer.php
- XSS:-
Multiple parameters were not properly sanitized, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser.
VERSIONS AFFECTED:-
Tested on 5.2.1
VERSIONS AFFECTED:-
Tested on 5.2.1
-News Source (YGN, Security Focus)
LINK TO OUR HOME PAGE :
Voice Of GREYHAT is a non-profit Organization propagating news specifically related with Cyber security threats, Hacking threads and issues from all over the spectrum. The news provided by us on this site is gathered from various Re-Sources. if any person have some FAQ's in their mind they can Contact Us. Also you can read our Privacy Policy for more info.
Thank You !
-Team VOGH
If you enjoyed VOGH News, Articles Then Do Make sure you to Subscribe Our RSS feed. Stay Tuned with VOGH and get Updated about Cyber Security News, Hacking Threads and Lots More. All our Articles and Updates will directly be sent to Your Inbox. Thank You!
-Team VOGH
Categories:
NEWS
,
technews
,
vulnerablity
