CVE-2013-3213

Name of the Vulnerable Software and Affected Versions vTiger CRM versions 5.0.0 through 5.4.0

Description The issue allows remote attackers to execute arbitrary SQL commands via several parameters, including the picklist name parameter in the "get picklists" method to "soap/customerportal.php", the where parameter in the "get tickets list" method to "soap/customerportal.php", or the emailaddress parameter in the "SearchContactsByEmail" method to "soap/vtigerolservice.php". Additionally, remote authenticated users can execute arbitrary SQL commands via the emailaddress parameter in the "SearchContactsByEmail" method to "soap/thunderbirdplugin.php".

Recommendations For versions 5.0.0 through 5.4.0, consider disabling the get picklists and get tickets list methods in "soap/customerportal.php" and the SearchContactsByEmail method in "soap/vtigerolservice.php" and "soap/thunderbirdplugin.php" until a patch is available. Restrict access to these methods to minimize the risk of exploitation. Avoid using the picklist name, where, and emailaddress parameters in the affected API endpoints until the issue is resolved.