PT-2023-26672 · Vtiger · Vtiger Crm
Jacob Elliott
·
Published
2023-09-12
·
Updated
2023-09-20
·
CVE-2023-38891
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Vtiger CRM version 7.5.0
Description
A SQL injection issue allows a remote authenticated attacker to escalate privileges via the
getQueryColumnsList function in ReportRun.php. This enables the attacker to potentially gain higher access levels within the system.Recommendations
For Vtiger CRM version 7.5.0, update to a version that includes a fix for this issue, as using the
getQueryColumnsList function in ReportRun.php can lead to privilege escalation. As a temporary workaround, consider restricting access to the ReportRun.php file or disabling the getQueryColumnsList function until a patch is available.Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Vtiger Crm