CVE-2019-5009 (GCVE-0-2019-5009)
Vulnerability from cvelistv5 – Published: 2019-01-04 14:00 – Updated: 2024-09-16 23:52
VLAI
EPSS
VEX
Summary
Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension "php3" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using "<? ?>" tags, as demonstrated by a CompanyDetailsSave action. This bypasses the bad-file-extensions protection mechanism. It is related to actions/CompanyDetailsSave.php, actions/UpdateCompanyLogo.php, and models/CompanyDetails.php.
Severity
7.2 (High)
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| http://lists.vtigercrm.com/pipermail/vtigercrm-de… | x_refsource_MISC |
| https://pentest.com.tr/exploits/Vtiger-CRM-7-1-0-… | x_refsource_MISC |
| https://www.exploit-db.com/exploits/46065 | exploitx_refsource_EXPLOIT-DB |
| http://code.vtiger.com/vtiger/vtigercrm/commit/52… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:40:49.181Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-January/037852.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://pentest.com.tr/exploits/Vtiger-CRM-7-1-0-Remote-Code-Execution.html"
},
{
"name": "46065",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/46065"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://code.vtiger.com/vtiger/vtigercrm/commit/52fc2fb520ddc55949c2fbedaabd61ddd0109375"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension \"php3\" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using \"\u003c? ?\u003e\" tags, as demonstrated by a CompanyDetailsSave action. This bypasses the bad-file-extensions protection mechanism. It is related to actions/CompanyDetailsSave.php, actions/UpdateCompanyLogo.php, and models/CompanyDetails.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-01-04T14:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-January/037852.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://pentest.com.tr/exploits/Vtiger-CRM-7-1-0-Remote-Code-Execution.html"
},
{
"name": "46065",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/46065"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://code.vtiger.com/vtiger/vtigercrm/commit/52fc2fb520ddc55949c2fbedaabd61ddd0109375"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-5009",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension \"php3\" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using \"\u003c? ?\u003e\" tags, as demonstrated by a CompanyDetailsSave action. This bypasses the bad-file-extensions protection mechanism. It is related to actions/CompanyDetailsSave.php, actions/UpdateCompanyLogo.php, and models/CompanyDetails.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-January/037852.html",
"refsource": "MISC",
"url": "http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-January/037852.html"
},
{
"name": "https://pentest.com.tr/exploits/Vtiger-CRM-7-1-0-Remote-Code-Execution.html",
"refsource": "MISC",
"url": "https://pentest.com.tr/exploits/Vtiger-CRM-7-1-0-Remote-Code-Execution.html"
},
{
"name": "46065",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/46065"
},
{
"name": "http://code.vtiger.com/vtiger/vtigercrm/commit/52fc2fb520ddc55949c2fbedaabd61ddd0109375",
"refsource": "MISC",
"url": "http://code.vtiger.com/vtiger/vtigercrm/commit/52fc2fb520ddc55949c2fbedaabd61ddd0109375"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-5009",
"datePublished": "2019-01-04T14:00:00.000Z",
"dateReserved": "2019-01-04T00:00:00.000Z",
"dateUpdated": "2024-09-16T23:52:10.146Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2019-5009",
"date": "2026-07-16",
"epss": "0.09936",
"percentile": "0.95061"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"7.1.0\", \"matchCriteriaId\": \"BEE12792-2E47-4921-B7A0-90CB6EEB8F1F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vtiger:vtiger_crm:7.1.0:hotfix1:*:*:*:*:*:*\", \"matchCriteriaId\": \"5EBD043D-53C6-4C4C-9D17-0CE7BEC3541C\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension \\\"php3\\\" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using \\\"\u003c? ?\u003e\\\" tags, as demonstrated by a CompanyDetailsSave action. This bypasses the bad-file-extensions protection mechanism. It is related to actions/CompanyDetailsSave.php, actions/UpdateCompanyLogo.php, and models/CompanyDetails.php.\"}, {\"lang\": \"es\", \"value\": \"La versi\\u00f3n 7.1.0 de Vtiger CRM anterior a Hotfix2 permite la subida de archivos con la extensi\\u00f3n \\\"php3\\\" en el campo de subida de logos, si el archivo subido tiene el formato PNG y el tama\\u00f1o de 150x40. Se puede introducir c\\u00f3digo PHP en la imagen; este c\\u00f3digo puede ejecutarse mediante etiquetas \\\"\\\", tal y como queda demostrado con una acci\\u00f3n de CompanyDetailsSave. Esto omite el mecanismo de protecci\\u00f3n de las extensiones de archivos maliciosos. Est\\u00e1 relacionado con actions/CompanyDetailsSave.php, actions/UpdateCompanyLogo.php y models/CompanyDetails.php.\"}]",
"id": "CVE-2019-5009",
"lastModified": "2024-11-21T04:44:10.700",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 7.2, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.2, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:S/C:P/I:P/A:P\", \"baseScore\": 6.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2019-01-04T14:29:00.237",
"references": "[{\"url\": \"http://code.vtiger.com/vtiger/vtigercrm/commit/52fc2fb520ddc55949c2fbedaabd61ddd0109375\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-January/037852.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Mailing List\", \"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://pentest.com.tr/exploits/Vtiger-CRM-7-1-0-Remote-Code-Execution.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://www.exploit-db.com/exploits/46065\", \"source\": \"cve@mitre.org\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://code.vtiger.com/vtiger/vtigercrm/commit/52fc2fb520ddc55949c2fbedaabd61ddd0109375\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-January/037852.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://pentest.com.tr/exploits/Vtiger-CRM-7-1-0-Remote-Code-Execution.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://www.exploit-db.com/exploits/46065\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}]",
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-434\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2019-5009\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2019-01-04T14:29:00.237\",\"lastModified\":\"2024-11-21T04:44:10.700\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension \\\"php3\\\" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using \\\"\u003c? ?\u003e\\\" tags, as demonstrated by a CompanyDetailsSave action. This bypasses the bad-file-extensions protection mechanism. It is related to actions/CompanyDetailsSave.php, actions/UpdateCompanyLogo.php, and models/CompanyDetails.php.\"},{\"lang\":\"es\",\"value\":\"La versi\u00f3n 7.1.0 de Vtiger CRM anterior a Hotfix2 permite la subida de archivos con la extensi\u00f3n \\\"php3\\\" en el campo de subida de logos, si el archivo subido tiene el formato PNG y el tama\u00f1o de 150x40. Se puede introducir c\u00f3digo PHP en la imagen; este c\u00f3digo puede ejecutarse mediante etiquetas \\\"\\\", tal y como queda demostrado con una acci\u00f3n de CompanyDetailsSave. Esto omite el mecanismo de protecci\u00f3n de las extensiones de archivos maliciosos. Est\u00e1 relacionado con actions/CompanyDetailsSave.php, actions/UpdateCompanyLogo.php y models/CompanyDetails.php.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\"baseScore\":6.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-434\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"7.1.0\",\"matchCriteriaId\":\"BEE12792-2E47-4921-B7A0-90CB6EEB8F1F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vtiger:vtiger_crm:7.1.0:hotfix1:*:*:*:*:*:*\",\"matchCriteriaId\":\"5EBD043D-53C6-4C4C-9D17-0CE7BEC3541C\"}]}]}],\"references\":[{\"url\":\"http://code.vtiger.com/vtiger/vtigercrm/commit/52fc2fb520ddc55949c2fbedaabd61ddd0109375\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-January/037852.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://pentest.com.tr/exploits/Vtiger-CRM-7-1-0-Remote-Code-Execution.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://www.exploit-db.com/exploits/46065\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://code.vtiger.com/vtiger/vtigercrm/commit/52fc2fb520ddc55949c2fbedaabd61ddd0109375\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-January/037852.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://pentest.com.tr/exploits/Vtiger-CRM-7-1-0-Remote-Code-Execution.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://www.exploit-db.com/exploits/46065\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]}]}}"
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…