High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in vtiger CRM version 5.4.0, which can be exploited to execute arbitrary SQL commands in application's database.
vtiger CRM is an on demand customer relationship management software that provides sales, marketing, and support teams with powerful tools to efficiently and effectively collaborate in providing the ideal customer experience.
This SQL injection vulnerability exists due to insufficient validation of "onlyforuser" HTTP GET parameter passed to "index.php" script. A remote authenticated user can execute arbitrary SQL commands in application's database. Successful exploitation of this vulnerability requires the attacker to be registered and logged-in. The registration is disabled by default. So severity of this issue has medium level with CVSSv2 Base Score 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P). Read full advisory and solution details on htbridge.com.
No comments:
Post a Comment