CVE-2010-3909

Name of the Vulnerable Software and Affected Versions vtiger CRM versions prior to 5.2.1

Description The issue allows remote authenticated users to execute arbitrary code by uploading a file with a .phtml extension using the draft save feature in the Compose Mail component, and then accessing this file via a direct request to the file in the storage/ directory tree.

Recommendations For versions prior to 5.2.1, update to version 5.2.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the storage/ directory tree to minimize the risk of exploitation. Avoid using the draft save feature in the Compose Mail component until the issue is resolved.