CVE-2013-3215
published 2020-01-29CVE-2013-3215: vtiger CRM 5.4.0 and earlier contain an Authentication Bypass Vulnerability due to improper authentication validation in the validateSession function.
PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
68.85%
99.3th percentile
vtiger CRM 5.4.0 and earlier contain an Authentication Bypass Vulnerability due to improper authentication validation in the validateSession function.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vtiger | vtiger_crm | 5.1.0 – 5.4.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Authentication bypass via validateSession(): if getServerSessionId() returns null, passing sessionid=0, false, or null causes validateSession() to return true — monitor SOAP requests with missing or zero-value username/sessionid parameters. ↗
- →Detect unauthenticated SOAP method calls to vtiger CRM endpoints (customerportal.php, vtigerolservice.php) where sessionid is absent, zero, or null — these indicate exploitation of the CVE-2013-3215 auth bypass. ↗
- →Combined exploit chain: auth bypass (CVE-2013-3215) + arbitrary file upload via AddEmailAttachment SOAP service can result in PHP webshell upload and execution — monitor for unexpected PHP files written to the storage/upload directory. ↗
- →Local file inclusion risk: monitor SOAP calls to get_list_values and get_project_components where the 'module' parameter contains path traversal sequences or unexpected values used in require_once(). ↗
- →Blind SQL injection via 'picklist_name' parameter in get_list_values SOAP method — the value is used directly in a query without quotes after sql_escape_string sanitisation, enabling injection without quotes. ↗
- →SQL injection via 'where' parameter in get_tickets_list SOAP method — user-supplied where clause fragments are concatenated directly into the SQL query without validation. ↗
- ·The vendor patch (http://www.vtiger.com/blogs/?p=1467) does NOT fully fix the arbitrary file upload vulnerability — authenticated remote code execution remains possible after patching. ↗
- ·The Metasploit module for this CVE chain has been tested on vTiger CRM v5.4.0 on Ubuntu 10.04 and Windows 2003 SP2 — detection logic should cover both Linux and Windows deployments. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
vTiger CRM 5.4.0 SOAP - Multiple Vulnerabilities
exploitdb·2013-08-02
CVE-2013-3215 vTiger CRM 5.4.0 SOAP - Multiple Vulnerabilities
vTiger CRM 5.4.0 SOAP - Multiple Vulnerabilities
---
vtiger CRM debug("Entering customer portal function get_list_values");
2) The vulnerable code is located in the get_project_components SOAP method defined in /soap/customerportal.php:
2778. function get_project_components($id,$module,$customerid,$sessionid) {
2779. require_once("modules/$module/$module.php");
2780. require_once('include/utils/UserInfoUtil.php');
2781.
2782. global $adb,$log;
2783. $log->debug("Entering customer portal function get_project_components ..");
The vulnerabilities exist because these methods fail to properly validate input passed through the "module"
parameter, that is being used in a call to the require_once() function (lines 1530 and 2779). This might be
exploited to include arbitrary local files contai
Metasploit
vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload
metasploit
vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload
vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload
vTiger CRM allows a user to bypass authentication when requesting SOAP services. In addition, arbitrary file upload is possible through the AddEmailAttachment SOAP service. By combining both vulnerabilities an attacker can upload and execute PHP code. This module has been tested successfully on vTiger CRM v5.4.0 over Ubuntu 10.04 and Windows 2003 SP2.
No writeups or analysis indexed.
2020-01-29
Published