CVE-2013-3212
published 2020-01-28CVE-2013-3212: vtiger CRM 5.4.0 and earlier contain local file-include vulnerabilities in 'customerportal.php' which allows remote attackers to view files and execute local…
PriorityP357high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
7.54%
93.8th percentile
vtiger CRM 5.4.0 and earlier contain local file-include vulnerabilities in 'customerportal.php' which allows remote attackers to view files and execute local script code.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vtiger | vtiger_crm | <= 5.4.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for SOAP requests to /soap/customerportal.php where the 'module' parameter contains path traversal sequences (e.g., '../') or unexpected directory references, as it is passed unsanitized to require_once(). ↗
- →Detect blind SQL injection attempts via the 'picklist_name' parameter in SOAP calls to customerportal.php — the value is inserted into a query without surrounding quotes, bypassing sql_escape_string sanitization. ↗
- →Detect SQL injection attempts via the 'where' parameter in SOAP calls to the get_tickets_list method in customerportal.php — user-supplied content is concatenated directly into a SQL query. ↗
- →Alert on authentication bypass attempts against vtiger SOAP methods where 'sessionid' is set to 0, null, or false — the validateSession() function returns true when getServerSessionId() returns null and sessionid loosely equals null/0. ↗
- →Monitor for file writes to the vtiger storage/upload directory with PHP file extensions via the SaveEmailAttachment SOAP method — 'filename' and 'filedata' parameters allow writing arbitrary content including PHP code. ↗
- ·The vendor patch (http://www.vtiger.com/blogs/?p=1467) does not fully remediate the file-write vulnerability (CVE-2013-3214); authenticated remote code execution via 'filedata'/'filename' parameters remains possible after patching. ↗
- ·Exploitation of the local file inclusion via the 'module' parameter requires the application to be running on PHP with register_globals enabled or a similar permissive configuration. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2020-01-28
Published