CVE-2019-5009 - Vulnerability Details - OpenCVE

Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension "php3" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using "<? ?>" tags, as demonstrated by a CompanyDetailsSave action. This bypasses the bad-file-extensions protection mechanism. It is related to actions/CompanyDetailsSave.php, actions/UpdateCompanyLogo.php, and models/CompanyDetails.php.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.17219.

Key SSVC decision points have not yet been added.

Vendors	Products
Vtiger Subscribe	Vtiger Crm Subscribe

Configuration 1 [-]

OR	cpe:2.3:a:vtiger:vtiger_crm::::::::
	cpe:2.3:a:vtiger:vtiger_crm:7.1.0:hotfix1::::::

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://code.vtiger.com/vtiger/vtigercrm/commit/52fc2fb520ddc55949c2fbedaabd61ddd0109375
http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-January/037852.html
https://pentest.com.tr/exploits/Vtiger-CRM-7-1-0-Remote-Code-Execution.html
https://www.exploit-db.com/exploits/46065

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-01-04T14:00:00Z

Updated: 2024-09-16T23:52:10.146Z

Reserved: 2019-01-04T00:00:00Z

Link: CVE-2019-5009

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-01-04T14:29:00.237

Modified: 2024-11-21T04:44:10.700

Link: CVE-2019-5009

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-434

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension \"php3\" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using \"<? ?>\" tags, as demonstrated by a CompanyDetailsSave action. This bypasses the bad-file-extensions protection mechanism. It is related to actions/CompanyDetailsSave.php, actions/UpdateCompanyLogo.php, and models/CompanyDetails.php."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-01-04T14:00:00Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-January/037852.html"}, {"tags": ["x_refsource_MISC"], "url": "https://pentest.com.tr/exploits/Vtiger-CRM-7-1-0-Remote-Code-Execution.html"}, {"name": "46065", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/46065"}, {"tags": ["x_refsource_MISC"], "url": "http://code.vtiger.com/vtiger/vtigercrm/commit/52fc2fb520ddc55949c2fbedaabd61ddd0109375"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-5009", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension \"php3\" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using \"<? ?>\" tags, as demonstrated by a CompanyDetailsSave action. This bypasses the bad-file-extensions protection mechanism. It is related to actions/CompanyDetailsSave.php, actions/UpdateCompanyLogo.php, and models/CompanyDetails.php."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-January/037852.html", "refsource": "MISC", "url": "http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-January/037852.html"}, {"name": "https://pentest.com.tr/exploits/Vtiger-CRM-7-1-0-Remote-Code-Execution.html", "refsource": "MISC", "url": "https://pentest.com.tr/exploits/Vtiger-CRM-7-1-0-Remote-Code-Execution.html"}, {"name": "46065", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/46065"}, {"name": "http://code.vtiger.com/vtiger/vtigercrm/commit/52fc2fb520ddc55949c2fbedaabd61ddd0109375", "refsource": "MISC", "url": "http://code.vtiger.com/vtiger/vtigercrm/commit/52fc2fb520ddc55949c2fbedaabd61ddd0109375"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T19:40:49.181Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-January/037852.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://pentest.com.tr/exploits/Vtiger-CRM-7-1-0-Remote-Code-Execution.html"}, {"name": "46065", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "https://www.exploit-db.com/exploits/46065"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://code.vtiger.com/vtiger/vtigercrm/commit/52fc2fb520ddc55949c2fbedaabd61ddd0109375"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-5009", "datePublished": "2019-01-04T14:00:00Z", "dateReserved": "2019-01-04T00:00:00Z", "dateUpdated": "2024-09-16T23:52:10.146Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*", "matchCriteriaId": "BEE12792-2E47-4921-B7A0-90CB6EEB8F1F", "versionEndIncluding": "7.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vtiger:vtiger_crm:7.1.0:hotfix1:*:*:*:*:*:*", "matchCriteriaId": "5EBD043D-53C6-4C4C-9D17-0CE7BEC3541C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension \"php3\" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using \"<? ?>\" tags, as demonstrated by a CompanyDetailsSave action. This bypasses the bad-file-extensions protection mechanism. It is related to actions/CompanyDetailsSave.php, actions/UpdateCompanyLogo.php, and models/CompanyDetails.php."}, {"lang": "es", "value": "La versi\u00f3n 7.1.0 de Vtiger CRM anterior a Hotfix2 permite la subida de archivos con la extensi\u00f3n \"php3\" en el campo de subida de logos, si el archivo subido tiene el formato PNG y el tama\u00f1o de 150x40. Se puede introducir c\u00f3digo PHP en la imagen; este c\u00f3digo puede ejecutarse mediante etiquetas \"\", tal y como queda demostrado con una acci\u00f3n de CompanyDetailsSave. Esto omite el mecanismo de protecci\u00f3n de las extensiones de archivos maliciosos. Est\u00e1 relacionado con actions/CompanyDetailsSave.php, actions/UpdateCompanyLogo.php y models/CompanyDetails.php."}], "id": "CVE-2019-5009", "lastModified": "2024-11-21T04:44:10.700", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-01-04T14:29:00.237", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://code.vtiger.com/vtiger/vtigercrm/commit/52fc2fb520ddc55949c2fbedaabd61ddd0109375"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Patch", "Vendor Advisory"], "url": "http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-January/037852.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://pentest.com.tr/exploits/Vtiger-CRM-7-1-0-Remote-Code-Execution.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/46065"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "http://code.vtiger.com/vtiger/vtigercrm/commit/52fc2fb520ddc55949c2fbedaabd61ddd0109375"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch", "Vendor Advisory"], "url": "http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-January/037852.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://pentest.com.tr/exploits/Vtiger-CRM-7-1-0-Remote-Code-Execution.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/46065"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "nvd@nist.gov", "type": "Primary"}]}