Podatność CVE-2010-3911


Publikacja: 2010-11-26   Modyfikacja: 2012-02-13

Opis:
Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM before 5.2.1 allow remote attackers to inject arbitrary web script or HTML via (1) the username (aka default_user_name) field or (2) the password field in a Users Login action to index.php, or (3) the label parameter in a Settings GetFieldInfo action to index.php, related to modules/Settings/GetFieldInfo.php.

W naszej bazie, znaleźliśmy następujące noty dla tego CVE:
Tytuł
Autor
Data
Med.
Vtiger CRM 5.2.0 Multiple Vulnerabilities
ascii
30.11.2010

Typ:

CWE-79

(Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

Producent: Vtiger
Produkt: Vtiger crm 
Wersje:
5.2.0
5.1.0
5.0.4
5.0.3
5.0.2
5.0.0
5
4.2.4
4.2
4.0.1
4.0
3.2
3.0
2.1
2.0.1
2.0
1.0

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Ogólna skala CVSS
Znaczenie
Łatwość wykorzystania
4.3/10
2.9/10
8.6/10
Wymagany dostęp
Złożoność ataku
Autoryzacja
Zdalny
Średnia
Nie wymagana
Wpływ na poufność
Wpływ na integralność
Wpływ na dostępność
Brak
Częściowy
Brak

 Referencje:
http://vtiger.com/blogs/2010/11/16/vtiger-crm-521-is-released/
http://wiki.vtiger.com/index.php/Vtiger521:Release_Notes
http://www.securityfocus.com/archive/1/514846/100/0/threaded
http://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt

Podobne CVE
CVE-2018-8047
vtiger CRM 7.0.1 is affected by one reflected Cross-Site Scripting (XSS) vulnerability affecting version 7.0.1 and probably prior versions. This vulnerability could allow remote unauthenticated attackers to inject arbitrary web script or HTML via ind...
CVE-2016-10754
modules/Calendar/Activity.php in Vtiger CRM 6.5.0 allows SQL injection via the contactidlist parameter.
CVE-2019-11057
SQL injection vulnerability in Vtiger CRM before 7.1.0 hotfix3 allows authenticated users to execute arbitrary SQL commands.
CVE-2019-5009
Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension "php3" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using "<? ?>" tag...
CVE-2016-1713
Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.4.0 allows remote authenticated users to execute arbitrary code by uploading a cra...
CVE-2016-4834
modules/Users/actions/Save.php in Vtiger CRM 6.4.0 and earlier does not properly restrict user-save actions, which allows remote authenticated users to create or modify user accounts via unspecified vectors.
CVE-2014-2268
views/Index.php in the Install module in vTiger 6.0 before Security Patch 2 does not properly restrict access, which allows remote attackers to re-install the application via a request that sets the X-Requested-With HTTP header, as demonstrated by ex...
CVE-2014-1222
Directory traversal vulnerability in kcfinder/browse.php in Vtiger CRM before 6.0.0 Security patch 1 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter in a download action. NOTE: it is likely that thi...

Copyright 2019, cxsecurity.com

 

Back to Top