Multiple vulnerabilities in Vtiger CRM
| Risk | High |
| Patch available | NO |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2019-11057 CVE-2019-5009 |
| CWE-ID | CWE-89 CWE-434 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Vtiger CRM Other software / Other software solutions |
| Vendor | Vtiger |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) SQL injection
EUVDB-ID: #VU35892
Risk: High
CVSSv3.1: 8.1 [AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2019-11057
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsVtiger CRM: 7.1.0
CPE2.3 External linkshttp://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-April/037964.html
http://medium.com/@mohnishdhage/sql-injection-vtiger-crm-v7-1-0-cve-2019-11057-245f84fc5c2c
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Arbitrary file upload
EUVDB-ID: #VU36249
Risk: Medium
CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-5009
CWE-ID:
CWE-434 - Unrestricted Upload of File with Dangerous Type
Exploit availability: No
DescriptionThe vulnerability allows a remote privileged user to execute arbitrary code.
Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension "php3" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using "<? ?>" tags, as demonstrated by a CompanyDetailsSave action. This bypasses the bad-file-extensions protection mechanism. It is related to actions/CompanyDetailsSave.php, actions/UpdateCompanyLogo.php, and models/CompanyDetails.php.
MitigationInstall update from vendor's website.
Vulnerable software versionsVtiger CRM: 7.1.0
CPE2.3 External linkshttp://code.vtiger.com/vtiger/vtigercrm/commit/52fc2fb520ddc55949c2fbedaabd61ddd0109375
http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-January/037852.html
http://pentest.com.tr/exploits/Vtiger-CRM-7-1-0-Remote-Code-Execution.html
http://www.exploit-db.com/exploits/46065
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
