cbcvebase.
CVE-2013-3212
published 2020-01-28

CVE-2013-3212: vtiger CRM 5.4.0 and earlier contain local file-include vulnerabilities in 'customerportal.php' which allows remote attackers to view files and execute local…

PriorityP357high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
7.54%
93.8th percentile
vtiger CRM 5.4.0 and earlier contain local file-include vulnerabilities in 'customerportal.php' which allows remote attackers to view files and execute local script code.

Affected

1 ranges
VendorProductVersion rangeFixed in
vtigervtiger_crm<= 5.4.0

Detection & IOCsextracted from sources · hover to see the quote

path/soap/customerportal.php
path/soap/thunderbirdplugin.php
path/soap/vtigerolservice.php
  • Monitor for SOAP requests to /soap/customerportal.php where the 'module' parameter contains path traversal sequences (e.g., '../') or unexpected directory references, as it is passed unsanitized to require_once().
  • Detect blind SQL injection attempts via the 'picklist_name' parameter in SOAP calls to customerportal.php — the value is inserted into a query without surrounding quotes, bypassing sql_escape_string sanitization.
  • Detect SQL injection attempts via the 'where' parameter in SOAP calls to the get_tickets_list method in customerportal.php — user-supplied content is concatenated directly into a SQL query.
  • Alert on authentication bypass attempts against vtiger SOAP methods where 'sessionid' is set to 0, null, or false — the validateSession() function returns true when getServerSessionId() returns null and sessionid loosely equals null/0.
  • Monitor for file writes to the vtiger storage/upload directory with PHP file extensions via the SaveEmailAttachment SOAP method — 'filename' and 'filedata' parameters allow writing arbitrary content including PHP code.
  • ·The vendor patch (http://www.vtiger.com/blogs/?p=1467) does not fully remediate the file-write vulnerability (CVE-2013-3214); authenticated remote code execution via 'filedata'/'filename' parameters remains possible after patching.
  • ·Exploitation of the local file inclusion via the 'module' parameter requires the application to be running on PHP with register_globals enabled or a similar permissive configuration.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.