cbcvebase.
CVE-2013-3215
published 2020-01-29

CVE-2013-3215: vtiger CRM 5.4.0 and earlier contain an Authentication Bypass Vulnerability due to improper authentication validation in the validateSession function.

PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
68.85%
99.3th percentile
vtiger CRM 5.4.0 and earlier contain an Authentication Bypass Vulnerability due to improper authentication validation in the validateSession function.

Affected

1 ranges
VendorProductVersion rangeFixed in
vtigervtiger_crm5.1.0 – 5.4.0

Detection & IOCsextracted from sources · hover to see the quote

path/soap/customerportal.php
path/soap/thunderbirdplugin.php
path/soap/vtigerolservice.php
  • Authentication bypass via validateSession(): if getServerSessionId() returns null, passing sessionid=0, false, or null causes validateSession() to return true — monitor SOAP requests with missing or zero-value username/sessionid parameters.
  • Detect unauthenticated SOAP method calls to vtiger CRM endpoints (customerportal.php, vtigerolservice.php) where sessionid is absent, zero, or null — these indicate exploitation of the CVE-2013-3215 auth bypass.
  • Combined exploit chain: auth bypass (CVE-2013-3215) + arbitrary file upload via AddEmailAttachment SOAP service can result in PHP webshell upload and execution — monitor for unexpected PHP files written to the storage/upload directory.
  • Local file inclusion risk: monitor SOAP calls to get_list_values and get_project_components where the 'module' parameter contains path traversal sequences or unexpected values used in require_once().
  • Blind SQL injection via 'picklist_name' parameter in get_list_values SOAP method — the value is used directly in a query without quotes after sql_escape_string sanitisation, enabling injection without quotes.
  • SQL injection via 'where' parameter in get_tickets_list SOAP method — user-supplied where clause fragments are concatenated directly into the SQL query without validation.
  • ·The vendor patch (http://www.vtiger.com/blogs/?p=1467) does NOT fully fix the arbitrary file upload vulnerability — authenticated remote code execution remains possible after patching.
  • ·The Metasploit module for this CVE chain has been tested on vTiger CRM v5.4.0 on Ubuntu 10.04 and Windows 2003 SP2 — detection logic should cover both Linux and Windows deployments.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.