CVE-2015-6000
published 2020-02-06CVE-2015-6000: Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in…
PriorityP272high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
40.24%
98.5th percentile
Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.3.0 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in test/logo/.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vtiger | vtiger_crm | <= 6.3.0 | — |
| vtiger | vtiger_crm | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for POST requests to the CompanyDetailsSave endpoint that include multipart file uploads with executable extensions (e.g., .php) rather than image extensions. ↗
- →Alert on HTTP GET requests to files under the path /test/logo/ with executable extensions such as .php, which indicates post-exploitation webshell access. ↗
- →Detect multipart/form-data POST requests containing a 'address' field alongside a file upload to the Vtiger company details save action, which is the exploit delivery mechanism. ↗
- →Flag any newly created PHP files within the test/logo/ directory on the web server filesystem as a high-confidence indicator of exploitation. ↗
- ·The vulnerability requires the attacker to be authenticated; unauthenticated exploitation is not possible. Detection should account for authenticated sessions abusing the company logo upload feature. ↗
- ·The exploit was confirmed against Vtiger CRM v6.3.0 specifically; detection rules should be scoped to this version or earlier. ↗
- ·The upload target is the administration interface's company logo upload function; access controls on the admin panel may limit exposure but do not eliminate it if admin credentials are compromised. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vendor_cisco7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pvcr-hf6j-vf57: Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave
ghsa_unreviewed·2022-05-24
CVE-2015-6000 [MEDIUM] GHSA-pvcr-hf6j-vf57: Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave
Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.3.0 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in test/logo/.
GHSA
GHSA-h8jm-h3mr-79gp: Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave
ghsa_unreviewed·2022-05-14·CVSS 8.8
CVE-2016-1713 [HIGH] CWE-434 GHSA-h8jm-h3mr-79gp: Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave
Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.4.0 allows remote authenticated users to execute arbitrary code by uploading a crafted image file with an executable extension, then accessing it via a direct request to the file in test/logo/. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6000.
Cisco
Cisco NX-OS Software SNMP Packet Denial of Service Vulnerability
vendor_cisco·2016-03-03·CVSS 7.8
CVE-2015-6260 [HIGH] CWE-20 Cisco NX-OS Software SNMP Packet Denial of Service Vulnerability
Cisco NX-OS Software SNMP Packet Denial of Service Vulnerability
A vulnerability in the Simple Network Management Protocol (SNMP) input packet processor of Cisco Nexus 5500 Platform Switches, Cisco Nexus 5600 Platform Switches, and Cisco Nexus 6000 Series Switches running Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause the SNMP application on an affected device to restart unexpectedly.
The vulnerability is due to improper validation of SNMP Protocol Data Units (PDUs) in SNMP packets. An attacker could exploit this vulnerability by sending a crafted SNMP packet to an affected device, which could cause the SNMP application on the device to restart. A successful exploit could allow the attacker to cause the SNMP application to restart multiple times, leading to
Cisco
Cisco IOS XR Software IPv6 Malformed Packet Denial of Service Vulnerability
vendor_cisco·2015-02-20·CVSS 7.1
CVE-2015-0618 [HIGH] CWE-20 Cisco IOS XR Software IPv6 Malformed Packet Denial of Service Vulnerability
Cisco IOS XR Software IPv6 Malformed Packet Denial of Service Vulnerability
A vulnerability in the parsing of malformed IP version 6 (IPv6) packets in Cisco IOS XR Software for Cisco Network Convergence System 6000 (NCS 6000) and Cisco Carrier Routing System (CRS-X) could allow an unauthenticated, remote attacker to cause a reload of a line card that is processing traffic.
The vulnerability is due to improper processing of malformed IPv6 packets carrying extension headers. An attacker could exploit this vulnerability by sending a malformed IPv6 packet, carrying extension headers, through an affected Cisco IOS XR device line card. An exploit could allow the attacker to cause a reload of the line card on the affected Cisco IOS XR device.
Cisco has released software updates that address th
Cisco
Cisco IOS XR Software IPv6 Malformed Packet Denial of Service Vulnerability
vendor_cisco
CVE-2015-0618 Cisco IOS XR Software IPv6 Malformed Packet Denial of Service Vulnerability
CVE-2015-0618: Cisco IOS XR Software IPv6 Malformed Packet Denial of Service Vulnerability
A vulnerability in the parsing of malformed IP version 6 (IPv6) packets in Cisco IOS XR Software for Cisco Network Convergence System 6000 (NCS 6000) and Cisco Carrier Routing System (CRS-X) could allow an unauthenticated, remote attacker to cause a reload of a line card that is processing traffic. The vulnerability is due to improper processing of malformed IPv6 packets carrying extension headers. An attacker could exploit this vulnerability by sending a malformed IPv6 packet, carrying extension headers, through an affected Cisco IOS XR device line card. An exploit could allow the attacker to cause a reload of the line card on the affected Cisco IOS XR device. Cisco has released software updates tha
Cisco
Cisco NX-OS Software SNMP Packet Denial of Service Vulnerability
vendor_cisco
CVE-2015-6260 Cisco NX-OS Software SNMP Packet Denial of Service Vulnerability
CVE-2015-6260: Cisco NX-OS Software SNMP Packet Denial of Service Vulnerability
A vulnerability in the Simple Network Management Protocol (SNMP) input packet processor of Cisco Nexus 5500 Platform Switches, Cisco Nexus 5600 Platform Switches, and Cisco Nexus 6000 Series Switches running Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause the SNMP application on an affected device to restart unexpectedly. The vulnerability is due to improper validation of SNMP Protocol Data Units (PDUs) in SNMP packets. An attacker could exploit this vulnerability by sending a crafted SNMP packet to an affected device, which could cause the SNMP application on the device to restart. A successful exploit could allow the attacker to cause the SNMP application to restart multiple time
No detection rules found.
Exploit-DB
Vtiger CRM 6.3.0 - (Authenticated) Arbitrary File Upload (Metasploit)
exploitdb·2018-03-30
CVE-2016-1713 Vtiger CRM 6.3.0 - (Authenticated) Arbitrary File Upload (Metasploit)
Vtiger CRM 6.3.0 - (Authenticated) Arbitrary File Upload (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Vtiger CRM 6.3.0 - Authenticated Arbitrary File Upload',
'Description' => %q{
Vtiger 6.3.0 CRM's administration interface allows for the upload of
a company logo.
Instead of uploading an image, an attacker may choose to upload a
file containing PHP code and
run this code by accessing the resulting PHP file.
This module was tested against vTiger CRM v6.3.0.
},
'Author' =>
[
'Benjamin Daniel Mussler', # Discoverys
'Touhid M.Shaikh ' # Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2015-6000'],
['CVE','2016-1713'],
['EDB', '38345'
Exploit-DB
vTiger CRM 6.3.0 - (Authenticated) Remote Code Execution
exploitdb·2015-09-28·CVSS 8.8
CVE-2016-1713 [HIGH] vTiger CRM 6.3.0 - (Authenticated) Remote Code Execution
vTiger CRM 6.3.0 - (Authenticated) Remote Code Execution
---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
# Exploit Title: Vtiger CRM
-----------------------------51732462825208
Content-Disposition: form-data; name="address"
[...]
The resulting PHP file can then be accessed at
[Vtiger URL]/test/logo/2.php
- --
Benjamin Daniel MUSSLER
Ix-Xgħajra, Malta Tel (MT) +356 9965 3798
Karlsruhe, Germany Tel (DE) +49 721 989 0150
Web: https://FL7.DE PGP: https://FL7.DE/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.21 (MingW32)
iQIcBAEBAgAGBQJWCVaeAAoJEAg0a3ng3v4f108P/0u+CUuUKSsSFiQt4S/HVAnw
5ykzNoZ/T1v0LUrItI1bZPeTyRr6VUandYclg68OM3VY0zc4x9161ScSlcnIitVO
AasvEw7mGguAR4Pe2i84LpPNvE6Bi+MJqU6vnBqZVmQMXUY8k+Mb0ufM/DMByLPj
dcozrAgI9ZQC3pnWiOPigD+gHe/AxY3Z1cxQLluOqBmMf7f3JXC+1dZt91EScu
Exploit-DB
WordPress Plugin Responsive Thumbnail Slider 1.0 - Arbitrary File Upload
exploitdb·2015-08-28
WordPress Plugin Responsive Thumbnail Slider 1.0 - Arbitrary File Upload
WordPress Plugin Responsive Thumbnail Slider 1.0 - Arbitrary File Upload
---
# Exploit Title: Wordpress Responsive Thumbnail Slider Arbitrary File Upload
# Date: 2015/8/29
# Exploit Author: Arash Khazaei
# Vendor Homepage:
https://wordpress.org/plugins/wp-responsive-thumbnail-slider/
# Software Link:
https://downloads.wordpress.org/plugin/wp-responsive-thumbnail-slider.zip
# Version: 1.0
# Tested on: Kali , Iceweasel Browser
# CVE : N/A
# Contact : http://twitter.com/0xClay
# Email : [email protected]
# Site : http://bhunter.ir
# Intrduction :
# Wordpress Responsive Thumbnail Slider Plugin iS A With 6000+ Active
Install
# And Suffer From A File Upload Vulnerability Allow Attacker Upload Shell
As A Image .
# Authors , Editors And Of Course Administrators This Vulnerability To Harm
WebSit
Metasploit
Vtiger CRM - Authenticated Logo Upload RCE
metasploit
Vtiger CRM - Authenticated Logo Upload RCE
Vtiger CRM - Authenticated Logo Upload RCE
Vtiger 6.3.0 CRM's administration interface allows for the upload of a company logo. Instead of uploading an image, an attacker may choose to upload a file containing PHP code and run this code by accessing the resulting PHP file. This module was tested against vTiger CRM v6.3.0.
No writeups or analysis indexed.
http://b.fl7.de/2015/09/vtiger-crm-authenticated-rce-cve-2015-6000.htmlhttp://www.securityfocus.com//archive/1/536563/100/0/threadedhttps://www.exploit-db.com/exploits/38345/http://b.fl7.de/2015/09/vtiger-crm-authenticated-rce-cve-2015-6000.htmlhttp://www.securityfocus.com//archive/1/536563/100/0/threadedhttps://www.exploit-db.com/exploits/38345/
2020-02-06
Published