CVE-2005-3818

Name of the Vulnerable Software and Affected Versions vTiger CRM versions 4.2 and earlier

Description The issue allows remote attackers to inject arbitrary web script or HTML via various input fields, including the contact, lead, and first or last name fields. Additionally, the record parameter in a DetailView action in the Leads module for "index.php" is vulnerable. The $ SERVER['PHP SELF'] variable, used in multiple locations such as "index.php", is also affected. Furthermore, aggregated RSS feeds in the RSS aggregation module are vulnerable to injection.

Recommendations For vTiger CRM versions 4.2 and earlier, consider disabling the input fields for contact, lead, and first or last name until a patch is available. Restrict access to the Leads module and the RSS aggregation module to minimize the risk of exploitation. Avoid using the record parameter in the DetailView action for "index.php" in the Leads module until the issue is resolved. As a temporary workaround, consider validating and sanitizing user input to prevent arbitrary web script or HTML injection.