cbcvebase.
CVE-2013-3591
published 2020-02-07

CVE-2013-3591: vTiger CRM 5.3 and 5.4: 'files' Upload Folder Arbitrary PHP Code Execution Vulnerability

PriorityP272high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
43.10%
98.6th percentile
vTiger CRM 5.3 and 5.4: 'files' Upload Folder Arbitrary PHP Code Execution Vulnerability

Affected

4 ranges
VendorProductVersion rangeFixed in
vtigervtiger_crm
vtigervtiger_crm
vtiger_crmvtiger_crm
vtiger_crmvtiger_crm

Detection & IOCsextracted from sources · hover to see the quote

url/kcfinder/browse.php?type=files&lng=en&act=upload
path/test/upload/files/
filename*.php3
path/vtigercrm/index.php
  • Detect multipart POST requests to /kcfinder/browse.php with parameters type=files and act=upload, which is the upload endpoint abused to plant a PHP webshell.
  • Alert on files with a .php3 extension being uploaded via the KCFinder component; the exploit specifically appends '.php3' to bypass upload filters.
  • Monitor HTTP GET requests to /test/upload/files/*.php3 (or any PHP-executable extension) immediately after a POST to the KCFinder upload endpoint, indicating payload trigger.
  • Inspect POST bodies to /index.php for the vTiger authentication action (module=Users&action=Authenticate) followed shortly by a KCFinder upload request from the same session cookie — this sequence indicates exploitation.
  • The multipart upload form-data field 'dir' is set to 'files', targeting the insufficiently privileged upload folder; detect this field value in upload requests to KCFinder.
  • ·The exploit requires valid credentials (authenticated RCE); default credentials of admin/admin are used in the Metasploit module, so instances with default credentials are at highest risk.
  • ·Vulnerability is confirmed only against vTiger CRM v5.4.0 and v5.3.0; the Metasploit check function returns Safe for other versions.
  • ·The root cause is insufficient privileges on the 'files' upload folder within KCFinder; hardening folder permissions on this directory will mitigate the vulnerability.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.