File Upload Vulnerability in Vtiger CRM by Vtiger
CVE-2019-5009
Key Information:
- Vendor
Vtiger
- Status
- Vendor
- CVE Published:
- 4 January 2019
Badges
What is CVE-2019-5009?
Vtiger CRM versions prior to Hotfix2 are susceptible to a file upload vulnerability that permits the uploading of files with 'php3' extension masquerading as PNG images. This occurs in the logo upload feature wherein an attacker can insert PHP code into an image file, achieving remote code execution by leveraging certain actions within the application. The flaw circumvents protections against dangerous file extensions, enabling unauthorized execution of server-side scripts. Specific files involved in this vulnerability include actions/CompanyDetailsSave.php and actions/UpdateCompanyLogo.php.
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
EPSS Score
9% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
Vulnerability Reserved
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
