CVE-2014-1222

Name of the Vulnerable Software and Affected Versions Vtiger CRM versions prior to 6.0.0 Security patch 1

Description A directory traversal issue allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter in a download action. This issue is likely in the KCFinder third-party component and may affect additional products besides Vtiger CRM.

Recommendations For versions prior to 6.0.0 Security patch 1, update to version 6.0.0 Security patch 1 to resolve the issue. As a temporary workaround, consider restricting access to the kcfinder/browse.php file to minimize the risk of exploitation. Avoid using the file parameter in the download action until the issue is resolved.