CVE-2010-3910

Name of the Vulnerable Software and Affected Versions vtiger CRM versions prior to 5.2.1

Description The issue concerns multiple directory traversal vulnerabilities in the return application language function. These vulnerabilities allow remote attackers to include and execute arbitrary local files. This can be achieved by providing a .. (dot dot) in specific parameters, such as the lang crm parameter to "phprint.php" or the current language parameter in an Accounts Import action to "graph.php".

Recommendations For versions prior to 5.2.1, update to version 5.2.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the "phprint.php" and "graph.php" scripts to minimize the risk of exploitation. Additionally, avoid using the lang crm and current language parameters in the affected API endpoints until the issue is resolved.