Multiple Cross Site Scripting (XSS) Vulnerabilities in vtigerCRM 5.0.4

2008.09.01
Risk: Low
Local: Yes
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Multiple Cross Site Scripting (XSS) Vulnerabilities in vtigerCRM 5.0.4, CVE-2008-3101 References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3101 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3101 http://www.vtiger.de/ Description vtigerCRM is a Open Source Customer Relationship Management (CRM) Software. The application is vulnerable to simple Cross Site Scripting, which can be used for several isues Example Assuming vtigerCRM is installed on http://localhost/vtigercrm/, one can inject JavaScript with: http://localhost/vtigercrm/index.php?module=Products&action=index&parenttab="><script>alert(1);</script> http://localhost/vtigercrm/index.php?module=Users&action=Authenticate&user_password="><script>alert(1);</script> http://localhost/vtigercrm/index.php?module=Home&action=UnifiedSearch&query_string="><script>alert(1);</script> Workaround/Fix vtiger CRM Security Patch for 5.0.4 [1] Disclosure Timeline 2008-07-28 Vendor contacted 2008-07-28 Vendor fixed issue in test environment 2008-07-30 Vender released patch 2008-07-30 Vendor dev statet they'll release a second patch within days 2008-09-01 published advisory, no second patch from upstream yet CVE Information The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-3101 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. Credits and copyright This vulnerability was discovered by Fabian Fingerle [2] (published with help from Hanno Boeck [3]). It's licensed under the creative commons attribution license [4]. Fabian Fingerle, 2008-09-01

References:

http://www.securityfocus.com/bid/30951
http://secunia.com/advisories/31679
http://xforce.iss.net/xforce/xfdb/44792
http://www.vtiger.de/vtiger-crm/downloads/patches.html?tx_abdownloads_pi1[action]=getviewdetailsfordownload&tx_abdownloads_pi1[uid]=128&tx_abdownloads_pi1[category_uid]=5&cHash=e16be773a5
http://www.securityfocus.com/archive/1/archive/1/495885/100/0/threaded
http://www.frsirt.com/english/advisories/2008/2471
http://www.datensalat.eu/~fabian/cve/CVE-2008-3101-vtigerCRM.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top