CVE-2019-5009

Name of the Vulnerable Software and Affected Versions Vtiger CRM version 7.1.0 before Hotfix2

Description The issue allows uploading files with the php3 extension in the logo upload field, under specific conditions, such as the file being in PNG format and having a size of 150x40. An attacker can embed PHP code into the image, which can be executed using <? ?> tags, as seen in the CompanyDetailsSave action. This bypasses the protection mechanism against bad file extensions. The affected files include actions/CompanyDetailsSave.php, actions/UpdateCompanyLogo.php, and models/CompanyDetails.php.

Recommendations For Vtiger CRM version 7.1.0 before Hotfix2, apply Hotfix2 to resolve the issue. As a temporary workaround, consider restricting access to the logo upload field or disabling the execution of PHP code in uploaded images until the hotfix is applied. Avoid using the php3 extension for logo uploads until the issue is resolved.