Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormFabian FingerlePACKETSTORM:69548
HistorySep 03, 2008 - 12:00 a.m.

vtigercrm-xss.txt

2008-09-0300:00:00
Fabian Fingerle
packetstormsecurity.com
15

0.009 Low

EPSS

Percentile

80.8%

JSON
`Multiple Cross Site Scripting (XSS) Vulnerabilities in vtigerCRM 5.0.4,  
CVE-2008-3101   
  
References  
  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3101  
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3101  
http://www.vtiger.de/  
  
Description  
  
vtigerCRM is a Open Source Customer Relationship Management (CRM)  
Software. The application is vulnerable to simple Cross Site Scripting,  
which can be used for several isues   
  
Example  
  
Assuming vtigerCRM is installed on http://localhost/vtigercrm/, one can  
inject JavaScript with:  
http://localhost/vtigercrm/index.php?module=Products&action=index&parenttab="><script>alert(1);</script>  
http://localhost/vtigercrm/index.php?module=Users&action=Authenticate&user_password="><script>alert(1);</script>  
http://localhost/vtigercrm/index.php?module=Home&action=UnifiedSearch&query_string="><script>alert(1);</script>  
  
Workaround/Fix  
  
vtiger CRM Security Patch for 5.0.4 [1]  
  
Disclosure Timeline  
  
2008-07-28 Vendor contacted  
2008-07-28 Vendor fixed issue in test environment  
2008-07-30 Vender released patch  
2008-07-30 Vendor dev statet they'll release a second patch within days  
2008-09-01 published advisory, no second patch from upstream yet  
  
CVE Information  
  
The Common Vulnerabilities and Exposures (CVE) project has assigned the  
name CVE-2008-3101 to this issue. This is a candidate for inclusion in  
the CVE list (http://cve.mitre.org/), which standardizes names for  
security problems. Credits and copyright  
  
This vulnerability was discovered by Fabian Fingerle [2] (published with  
help from Hanno Boeck [3]). It's licensed under the creative  
commons attribution license [4].  
  
Fabian Fingerle, 2008-09-01  
  
[1] http://www.vtiger.de/vtiger-crm/downloads/patches.html?tx_abdownloads_pi1[action]=getviewdetailsfordownload&tx_abdownloads_pi1[uid]=128&tx_abdownloads_pi1[category_uid]=5&cHash=e16be773a5  
[2] http://www.fabian-fingerle.de  
[3] http://www.hboeck.de  
[4] http://creativecommons.org/licenses/by/3.0/de/  
  
--   
_GPG_ 3D17 CAC8 1955 1908 65ED 5C51 FDA3 6A09 AB41 AB85  
_chaos events near stuttgart_ www.datensalat.eu  
`

Related

securityvulns 2
seebug 1
prion 2
cve 2
securityvulns
securityvulns
Multiple Cross Site Scripting &#40;XSS&#41; Vulnerabilities in vtigerCRM 5.0.4, CVE-2008-3101
2008-09-02 00:00:00
Daily web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2008-09-02 00:00:00
seebug
seebug
vtiger CRM多个跨站脚本漏洞
2008-09-10 00:00:00
prion
prion
Cross site scripting
2008-09-03 14:12:00
Cross site scripting
2009-09-18 20:30:00
cve
cve
CVE-2008-3101
2008-09-03 14:12:00
CVE-2009-3247
2009-09-18 20:30:00

0.009 Low

EPSS

Percentile

80.8%

JSON
Related for PACKETSTORM:69548
securityvulns2seebug1prion2cve2