Remote Code Execution Vulnerability in Vtiger CRM 7.5.0
CVE-2023-46304

8.1HIGH

Key Information:

Vendor

Vtiger CRM

Vendor
CVE Published:
30 April 2024

What is CVE-2023-46304?

An issue in Vtiger CRM 7.5.0 allows remote authenticated users to exploit an unprotected endpoint within modules/Users/models/Module.php. This vulnerability enables attackers to write arbitrary PHP code to the critical config.inc.php file, which is executed with every request to the application. This flaw poses significant security risks, as it may lead to full system compromise and unauthorized control over the affected application. Securing endpoints and restricting user permissions are crucial steps to mitigate this vulnerability.

References

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.