SAINT CorporationSAINT:69127EFA1BB7E59F7D35B9A6D92957A0vTiger CRM AddEmailAttachment arbitrary file upload
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.866 High
EPSS
Percentile
98.3%
Added: 01/10/2014
CVE: CVE-2013-3214
BID: 61558
OSVDB: 95902
Background
vTiger CRM is a customer relationship management application written in PHP.
Problem
An arbitrary file upload vulnerability when handling SOAP AddEmailAttachment requests allows remote attackers to execute arbitrary commands by uploading PHP scripts under the web root.
Resolution
Upgrade to version 6.0 when available, or apply the patch. Note that the patch only prevents exploitation by unauthenticated attackers.
References
<http://seclists.org/bugtraq/2013/Aug/7>
Limitations
Exploit works on vTiger CRM 5.4.0.
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.866 High
EPSS
Percentile
98.3%