PT-2014-4021 · Vtiger · Vtiger Crm
Published
2014-08-12
·
Updated
2018-10-09
·
CVE-2014-1222
CVSS v2.0
4.0
Medium
| Vector | AV:N/AC:L/Au:S/C:P/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Vtiger CRM versions prior to 6.0.0 Security patch 1
Description
A directory traversal issue allows remote authenticated users to read arbitrary files via a .. (dot dot) in the
file parameter in a download action. This issue is likely in the KCFinder third-party component and may affect additional products besides Vtiger CRM.Recommendations
For versions prior to 6.0.0 Security patch 1, update to version 6.0.0 Security patch 1 to resolve the issue. As a temporary workaround, consider restricting access to the
kcfinder/browse.php file to minimize the risk of exploitation. Avoid using the file parameter in the download action until the issue is resolved.Exploit
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Vtiger Crm