PT-2024-30247 · Vtiger · Vtiger Crm
Davide Silvetti
+5
·
Published
2024-08-16
·
Updated
2024-08-28
·
CVE-2024-42994
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
VTiger CRM versions <= 8.1.0
Description
The issue arises from improper sanitization of user input before it is used in a SQL statement, leading to a SQL Injection in the
CompanyDetails operation of the MailManager module.Recommendations
For VTiger CRM versions <= 8.1.0, update to a version higher than 8.1.0 to resolve the issue. As a temporary workaround, consider restricting access to the
MailManager module to minimize the risk of exploitation. Avoid using the CompanyDetails operation until the issue is resolved.Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Vtiger Crm