CVE-2016-1713

Name of the Vulnerable Software and Affected Versions Vtiger CRM version 6.4.0

Description The issue is related to an unrestricted file upload vulnerability in the Settings Vtiger CompanyDetailsSave Action class. This allows remote authenticated users to execute arbitrary code by uploading a crafted image file with an executable extension and then accessing it via a direct request to the file. The vulnerability exists due to an incomplete fix for a previous issue.

Recommendations For Vtiger CRM version 6.4.0, consider restricting access to the CompanyDetailsSave.php file in the modules/Settings/Vtiger/actions/ directory to prevent exploitation until a proper fix is available. As a temporary workaround, avoid using the CompanyDetailsSave Action class until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.