CVE-2010-3909

Published Nov 26, 2010

Last updated 6 years ago

Overview

Description: Incomplete blacklist vulnerability in config.template.php in vtiger CRM before 5.2.1 allows remote authenticated users to execute arbitrary code by using the draft save feature in the Compose Mail component to upload a file with a .phtml extension, and then accessing this file via a direct request to the file in the storage/ directory tree.
Source: cve@mitre.org
NVD status: Modified

Hype score: Not currently trending

Risk scores

CVSS 2.0

Type: Primary
Base score: 6
Impact score: 6.4
Exploitability score: 6.8
Vector string: AV:N/AC:M/Au:S/C:P/I:P/A:P

Weaknesses

nvd@nist.gov: CWE-94

Evaluator

Comment: Per: http://cwe.mitre.org/data/definitions/184.html 'CWE-184: Incomplete Blacklist'
Impact: -
Solution: -

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "11DDE2EA-CD9C-456F-ADBF-BDBF13569065"
          },
          {
            "criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "367F7FC6-7C3F-4CC3-8448-B9F8834CFDF7",
            "versionEndIncluding": "5.2.0"
          },
          {
            "criteria": "cpe:2.3:a:vtiger:vtiger_crm:1.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0E55C900-AAB5-46A2-B650-ED3A9DE52C94"
          },
          {
            "criteria": "cpe:2.3:a:vtiger:vtiger_crm:2.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "FB4792CC-85E3-4317-A632-5A130E9C6F98"
          },
          {
            "criteria": "cpe:2.3:a:vtiger:vtiger_crm:2.0.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "EAB300C8-ABE4-45BA-B260-570DD1E32F6E"
          },
          {
            "criteria": "cpe:2.3:a:vtiger:vtiger_crm:2.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "BF0C897F-2066-43C3-AB44-EE66DB0C2B22"
          },
          {
            "criteria": "cpe:2.3:a:vtiger:vtiger_crm:3:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "458323BE-8583-435D-85B6-9F5F66F664A1"
          },
          {
            "criteria": "cpe:2.3:a:vtiger:vtiger_crm:3.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D67FC276-11EB-4196-BDD9-84D69173EFAF"
          },
          {
            "criteria": "cpe:2.3:a:vtiger:vtiger_crm:3.0:beta:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "81A5C9AA-0C13-4DA4-845B-28CCE80D5A63"
          },
          {
            "criteria": "cpe:2.3:a:vtiger:vtiger_crm:3.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "288A4DD7-765B-4957-869F-98A836E4EF0B"
          },
          {
            "criteria": "cpe:2.3:a:vtiger:vtiger_crm:4:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "5F5C4B4A-507F-4389-9094-96AE7D84DE93"
          },
          {
            "criteria": "cpe:2.3:a:vtiger:vtiger_crm:4:beta:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B6CDF5A9-E641-4FC3-8602-D47594524B20"
          },
          {
            "criteria": "cpe:2.3:a:vtiger:vtiger_crm:4:rc1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "04C6B97E-408B-49B1-A1F3-C0D1107500D6"
          },
          {
            "criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "23F2DEEE-E081-4ED2-AB1A-9ED966474CDB"
          },
          {
            "criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.0.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "33644DF3-9777-405A-A106-1A6B4F1D6FB0"
          },
          {
            "criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D8B3F151-0398-42C7-B194-FF528696D1E7"
          },
          {
            "criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.2:*:validation:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "661FD257-5B33-4DFE-AC59-AB48D1D12712"
          },
          {
            "criteria": "cpe:2.3:a:vtiger:vtiger_crm:4.2.4:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "57840915-C75E-4D62-A017-E60DD1396D34"
          },
          {
            "criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "20038138-B797-40A5-A45B-9AB6C21033D0"
          },
          {
            "criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "98DE0A56-EA74-4EA8-B941-F0DFF0F86F28"
          },
          {
            "criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.3:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "FAF126B8-8BE9-4775-904B-5F6FD0FC97CE"
          },
          {
            "criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.4:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "84AE51A9-59AF-47F9-8AFC-5219505FD170"
          },
          {
            "criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.0.4:rc:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "773AE04C-2478-412F-B961-147E2079B2D2"
          },
          {
            "criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.1.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "7983E217-C378-4D29-AB23-0A1F6FF483B7"
          },
          {
            "criteria": "cpe:2.3:a:vtiger:vtiger_crm:5.1.0:rc:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "16C7FC4B-4253-45C5-92A4-26705A1D98FF"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Social media

Risk scores

CVSS 2.0

Weaknesses

Evaluator

Configurations

References