cbcvebase.
CVE-2016-1713
published 2017-04-14

CVE-2016-1713: Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in…

PriorityP357high7.3CVSS 3.0
AVLACLPRLUIRSUCHIHAH
EXPLOIT
EPSS
16.56%
96.6th percentile
Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.4.0 allows remote authenticated users to execute arbitrary code by uploading a crafted image file with an executable extension, then accessing it via a direct request to the file in test/logo/. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6000.

Affected

1 ranges
VendorProductVersion rangeFixed in
vtigervtiger_crm

Detection & IOCsextracted from sources · hover to see the quote

pathtest/logo/
path/test/logo/2.php
pathmodules/Settings/Vtiger/actions/CompanyDetailsSave.php
urlindex.php?parent=Settings&module=Vtiger&view=CompanyDetails
commandPOST index.php module=Vtiger&parent=Settings&action=CompanyDetailsSave
  • Detect multipart POST to index.php with action=CompanyDetailsSave containing a file upload with a PHP (or other executable) extension but Content-Type of image/jpeg — this is the content-type bypass used in the exploit.
  • Alert on GET requests to /test/logo/*.php — uploaded PHP webshells are executed by directly requesting them under this path.
  • Monitor for the CSRF token regex pattern in Vtiger login responses and subsequent authenticated POST to CompanyDetailsSave as an indicator of exploit automation.
  • Flag any file written to the test/logo/ directory with a non-image extension (e.g., .php) on the Vtiger CRM server filesystem.
  • The Metasploit module defaults to php/meterpreter/reverse_tcp payload encoded with php/base64 — detect base64-encoded PHP meterpreter stagers in uploaded files under test/logo/.
  • ·CVE-2016-1713 affects Vtiger CRM 6.4.0 and is an incomplete fix for CVE-2015-6000 (which affected 6.3.0); the Metasploit module and EDB-38345 were originally written and tested against v6.3.0, so detection logic should cover both versions.
  • ·Doc 3 (EDB-47392) references CVE-2016-1713 only incidentally in its references section; its actual vulnerability content describes Adobe ColdFusion 2018 / Symantec ASG and is unrelated to this CVE — disregard its IOCs for CVE-2016-1713 detections.
  • ·Exploitation requires authentication as an administrator; detections should be scoped to authenticated sessions (valid session cookie present) to reduce false positives.

CVSS provenance

nvdv3.07.3HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
nvdv2.08.5HIGHAV:N/AC:M/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.