cbcvebase.
CVE-2015-6000
published 2020-02-06

CVE-2015-6000: Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in…

PriorityP272high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
40.24%
98.5th percentile
Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.3.0 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in test/logo/.

Affected

2 ranges
VendorProductVersion rangeFixed in
vtigervtiger_crm<= 6.3.0
vtigervtiger_crm

Detection & IOCsextracted from sources · hover to see the quote

pathtest/logo/
pathmodules/Settings/Vtiger/actions/CompanyDetailsSave.php
url[Vtiger URL]/test/logo/2.php
  • Monitor for POST requests to the CompanyDetailsSave endpoint that include multipart file uploads with executable extensions (e.g., .php) rather than image extensions.
  • Alert on HTTP GET requests to files under the path /test/logo/ with executable extensions such as .php, which indicates post-exploitation webshell access.
  • Detect multipart/form-data POST requests containing a 'address' field alongside a file upload to the Vtiger company details save action, which is the exploit delivery mechanism.
  • Flag any newly created PHP files within the test/logo/ directory on the web server filesystem as a high-confidence indicator of exploitation.
  • ·The vulnerability requires the attacker to be authenticated; unauthenticated exploitation is not possible. Detection should account for authenticated sessions abusing the company logo upload feature.
  • ·The exploit was confirmed against Vtiger CRM v6.3.0 specifically; detection rules should be scoped to this version or earlier.
  • ·The upload target is the administration interface's company logo upload function; access controls on the admin panel may limit exposure but do not eliminate it if admin credentials are compromised.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vendor_cisco7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.