PT-2010-5161 · Vtiger · Vtiger Crm

Published

2010-11-26

Updated

2018-10-30

CVE-2010-3909

CVSS v2.0

6.0

Medium

Vector

AV:N/AC:M/Au:S/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions vtiger CRM versions prior to 5.2.1

Description The issue allows remote authenticated users to execute arbitrary code by uploading a file with a .phtml extension using the draft save feature in the Compose Mail component, and then accessing this file via a direct request to the file in the storage/ directory tree.

Recommendations For versions prior to 5.2.1, update to version 5.2.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the storage/ directory tree to minimize the risk of exploitation. Avoid using the draft save feature in the Compose Mail component until the issue is resolved.

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2010-3909

Affected Products

Vtiger Crm

PT-2010-5161 · Vtiger · Vtiger Crm

CVE-2010-3909

Weakness Enumeration

Related Identifiers

Affected Products

References · 7