Jselliott

**Name of the Vulnerable Software and Affected Versions** Vtiger CRM version 7.5.0 **Description** The issue allows a remote authenticated attacker to run arbitrary PHP code because an unprotected endpoint allows them to write this code to the `config.inc.php` file, which is executed on every page load. This is due to a vulnerability in the `modules/Users/models/Module.php` file. **Recommendations** For Vtiger CRM version 7.5.0, as a temporary workaround, consider restricting access to the vulnerable `Module.php` file until a patch is available. Additionally, avoid using the unprotected endpoint that allows writing to the `config.inc.php` file until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.