Описание
views/Index.php in the Install module in vTiger 6.0 before Security Patch 2 does not properly restrict access, which allows remote attackers to re-install the application via a request that sets the X-Requested-With HTTP header, as demonstrated by executing arbitrary PHP code via the db_name parameter.
Ссылки
- Vendor Advisory
- ExploitThird Party Advisory
- Third Party AdvisoryVDB Entry
- ExploitThird Party Advisory
- Vendor Advisory
- ExploitThird Party Advisory
- Third Party AdvisoryVDB Entry
- ExploitThird Party Advisory
Уязвимые конфигурации
Конфигурация 1
Одно из
cpe:2.3:a:vtiger:vtiger_crm:1.0:*:*:*:*:*:*:*
cpe:2.3:a:vtiger:vtiger_crm:2.0:*:*:*:*:*:*:*
cpe:2.3:a:vtiger:vtiger_crm:2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:vtiger:vtiger_crm:2.1:*:*:*:*:*:*:*
cpe:2.3:a:vtiger:vtiger_crm:3.0:*:*:*:*:*:*:*
cpe:2.3:a:vtiger:vtiger_crm:3.0:beta:*:*:*:*:*:*
cpe:2.3:a:vtiger:vtiger_crm:3.2:*:*:*:*:*:*:*
cpe:2.3:a:vtiger:vtiger_crm:4:*:*:*:*:*:*:*
cpe:2.3:a:vtiger:vtiger_crm:4:beta:*:*:*:*:*:*
cpe:2.3:a:vtiger:vtiger_crm:4:rc1:*:*:*:*:*:*
cpe:2.3:a:vtiger:vtiger_crm:4.0:*:*:*:*:*:*:*
cpe:2.3:a:vtiger:vtiger_crm:4.0.1:*:*:*:*:*:*:*
cpe:2.3:a:vtiger:vtiger_crm:4.2:*:*:*:*:*:*:*
cpe:2.3:a:vtiger:vtiger_crm:4.2.4:*:*:*:*:*:*:*
cpe:2.3:a:vtiger:vtiger_crm:5.0.0:*:*:*:*:*:*:*
cpe:2.3:a:vtiger:vtiger_crm:5.0.1:*:*:*:*:*:*:*
cpe:2.3:a:vtiger:vtiger_crm:5.0.2:*:*:*:*:*:*:*
cpe:2.3:a:vtiger:vtiger_crm:5.0.3:*:*:*:*:*:*:*
cpe:2.3:a:vtiger:vtiger_crm:5.0.4:*:*:*:*:*:*:*
cpe:2.3:a:vtiger:vtiger_crm:5.0.4:rc:*:*:*:*:*:*
cpe:2.3:a:vtiger:vtiger_crm:5.1.0:*:*:*:*:*:*:*
cpe:2.3:a:vtiger:vtiger_crm:5.1.0:rc:*:*:*:*:*:*
cpe:2.3:a:vtiger:vtiger_crm:5.2.0:*:*:*:*:*:*:*
cpe:2.3:a:vtiger:vtiger_crm:5.2.1:*:*:*:*:*:*:*
cpe:2.3:a:vtiger:vtiger_crm:5.3.0:*:*:*:*:*:*:*
cpe:2.3:a:vtiger:vtiger_crm:5.4.0:*:*:*:*:*:*:*
cpe:2.3:a:vtiger:vtiger_crm:6.0.0:*:*:*:*:*:*:*
cpe:2.3:a:vtiger:vtiger_crm:6.0.0:beta:*:*:*:*:*:*
cpe:2.3:a:vtiger:vtiger_crm:6.0.0:rc:*:*:*:*:*:*
cpe:2.3:a:vtiger:vtiger_crm:6.0.0:sp1:*:*:*:*:*:*
EPSS
Процентиль: 99%
0.77294
Высокий
5 Medium
CVSS2
Дефекты
CWE-264
Связанные уязвимости
github
больше 3 лет назад
views/Index.php in the Install module in vTiger 6.0 before Security Patch 2 does not properly restrict access, which allows remote attackers to re-install the application via a request that sets the X-Requested-With HTTP header, as demonstrated by executing arbitrary PHP code via the db_name parameter.
EPSS
Процентиль: 99%
0.77294
Высокий
5 Medium
CVSS2
Дефекты
CWE-264