cbcvebase.
CVE-2013-3214
published 2020-01-28

CVE-2013-3214: vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in 'vtigerolservice.php'.

PriorityP278critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
84.54%
99.7th percentile
vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in 'vtigerolservice.php'.

Affected

1 ranges
VendorProductVersion rangeFixed in
vtigervtiger_crm<= 5.4.0

Detection & IOCsextracted from sources · hover to see the quote

path/soap/vtigerolservice.php
path/vtigercrm/soap/vtigerolservice.php
path/soap/customerportal.php
path/soap/thunderbirdplugin.php
commandAddEmailAttachment SOAP with filename=../../../../../../<file>.php and base64-encoded PHP payload in filedata
  • Detect unauthenticated POST requests to the vtigerolservice.php SOAP endpoint, particularly invoking the AddEmailAttachment method with a filename containing directory traversal sequences (../../).
  • Look for SOAP requests to /soap/vtigerolservice.php with Content-Type 'text/xml' and a body containing the AddEmailAttachment action and a .php filename in the filename element.
  • Monitor for HTTP GET requests to /vtigercrm/soap/<random>.php immediately after a POST to the AddEmailAttachment endpoint, indicating payload execution after upload.
  • Authentication bypass can be detected by SOAP calls to validateSession-protected methods where the sessionid parameter is omitted, set to 0, or null — causing validateSession() to return true against a null server_sessionid.
  • Detect SOAP envelope requests using the vtiger CRM namespace (xmlns:crm="http://www.vtiger.com/products/crm") targeting the AddEmailAttachment or CheckEmailPermission operations.
  • Alert on newly created .php files appearing inside the /soap/ directory of a vTiger CRM installation, as the exploit writes the uploaded payload there.
  • The filetype field in the AddEmailAttachment SOAP body is set to 'php' during exploitation; inspect SOAP body for filetype=php combined with base64-encoded filedata.
  • ·The vendor patch (http://www.vtiger.com/blogs/?p=1467) does not fully remediate CVE-2013-3214; authenticated users can still inject and execute arbitrary code after patching.
  • ·The exploit requires combining two vulnerabilities: the authentication bypass (CVE-2013-3215) and the arbitrary file upload via AddEmailAttachment (CVE-2013-3214); detection logic should account for both being used in sequence.
  • ·The payload is sent base64-encoded inside a POST SOAP request with a maximum space of 256k; detection rules should handle large base64-encoded SOAP bodies.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.