CVE-2019-5009 - OpenCVE

Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension "php3" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using "<? ?>" tags, as demonstrated by a CompanyDetailsSave action. This bypasses the bad-file-extensions protection mechanism. It is related to actions/CompanyDetailsSave.php, actions/UpdateCompanyLogo.php, and models/CompanyDetails.php.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Vtiger	Vtiger Crm

Configuration 1 [-]

OR	cpe:2.3:a:vtiger:vtiger_crm::::::::
	cpe:2.3:a:vtiger:vtiger_crm:7.1.0:hotfix1::::::

No data.

References

Link	Providers
http://code.vtiger.com/vtiger/vtigercrm/commit/52fc2fb520ddc55949c2fbedaabd61ddd0109375
http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-January/037852.html
https://pentest.com.tr/exploits/Vtiger-CRM-7-1-0-Remote-Code-Execution.html
https://www.exploit-db.com/exploits/46065

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-01-04T14:00:00Z

Updated: 2024-09-16T23:52:10.146Z

Reserved: 2019-01-04T00:00:00Z

Link: CVE-2019-5009

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-01-04T14:29:00.237

Modified: 2019-10-24T12:31:06.643

Link: CVE-2019-5009

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension \"php3\" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using \"<? ?>\" tags, as demonstrated by a CompanyDetailsSave action. This bypasses the bad-file-extensions protection mechanism. It is related to actions/CompanyDetailsSave.php, actions/UpdateCompanyLogo.php, and models/CompanyDetails.php."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-01-04T14:00:00Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-January/037852.html"}, {"tags": ["x_refsource_MISC"], "url": "https://pentest.com.tr/exploits/Vtiger-CRM-7-1-0-Remote-Code-Execution.html"}, {"name": "46065", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/46065"}, {"tags": ["x_refsource_MISC"], "url": "http://code.vtiger.com/vtiger/vtigercrm/commit/52fc2fb520ddc55949c2fbedaabd61ddd0109375"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-5009", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension \"php3\" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using \"<? ?>\" tags, as demonstrated by a CompanyDetailsSave action. This bypasses the bad-file-extensions protection mechanism. It is related to actions/CompanyDetailsSave.php, actions/UpdateCompanyLogo.php, and models/CompanyDetails.php."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-January/037852.html", "refsource": "MISC", "url": "http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-January/037852.html"}, {"name": "https://pentest.com.tr/exploits/Vtiger-CRM-7-1-0-Remote-Code-Execution.html", "refsource": "MISC", "url": "https://pentest.com.tr/exploits/Vtiger-CRM-7-1-0-Remote-Code-Execution.html"}, {"name": "46065", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/46065"}, {"name": "http://code.vtiger.com/vtiger/vtigercrm/commit/52fc2fb520ddc55949c2fbedaabd61ddd0109375", "refsource": "MISC", "url": "http://code.vtiger.com/vtiger/vtigercrm/commit/52fc2fb520ddc55949c2fbedaabd61ddd0109375"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T19:40:49.181Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-January/037852.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://pentest.com.tr/exploits/Vtiger-CRM-7-1-0-Remote-Code-Execution.html"}, {"name": "46065", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "https://www.exploit-db.com/exploits/46065"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://code.vtiger.com/vtiger/vtigercrm/commit/52fc2fb520ddc55949c2fbedaabd61ddd0109375"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-5009", "datePublished": "2019-01-04T14:00:00Z", "dateReserved": "2019-01-04T00:00:00Z", "dateUpdated": "2024-09-16T23:52:10.146Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*", "matchCriteriaId": "BEE12792-2E47-4921-B7A0-90CB6EEB8F1F", "versionEndIncluding": "7.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vtiger:vtiger_crm:7.1.0:hotfix1:*:*:*:*:*:*", "matchCriteriaId": "5EBD043D-53C6-4C4C-9D17-0CE7BEC3541C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension \"php3\" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using \"<? ?>\" tags, as demonstrated by a CompanyDetailsSave action. This bypasses the bad-file-extensions protection mechanism. It is related to actions/CompanyDetailsSave.php, actions/UpdateCompanyLogo.php, and models/CompanyDetails.php."}, {"lang": "es", "value": "La versi\u00f3n 7.1.0 de Vtiger CRM anterior a Hotfix2 permite la subida de archivos con la extensi\u00f3n \"php3\" en el campo de subida de logos, si el archivo subido tiene el formato PNG y el tama\u00f1o de 150x40. Se puede introducir c\u00f3digo PHP en la imagen; este c\u00f3digo puede ejecutarse mediante etiquetas \"\", tal y como queda demostrado con una acci\u00f3n de CompanyDetailsSave. Esto omite el mecanismo de protecci\u00f3n de las extensiones de archivos maliciosos. Est\u00e1 relacionado con actions/CompanyDetailsSave.php, actions/UpdateCompanyLogo.php y models/CompanyDetails.php."}], "id": "CVE-2019-5009", "lastModified": "2019-10-24T12:31:06.643", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-01-04T14:29:00.237", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://code.vtiger.com/vtiger/vtigercrm/commit/52fc2fb520ddc55949c2fbedaabd61ddd0109375"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Patch", "Vendor Advisory"], "url": "http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-January/037852.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://pentest.com.tr/exploits/Vtiger-CRM-7-1-0-Remote-Code-Execution.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/46065"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "nvd@nist.gov", "type": "Primary"}]}