Arbitrary file upload in Vtiger CRM - CVE-2019-5009

 

Arbitrary file upload in Vtiger CRM - CVE-2019-5009

Published: January 4, 2019 / Updated: August 8, 2020


Vulnerability identifier: #VU36249
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-5009
CWE-ID: CWE-434
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Vtiger
Affected software:
Vtiger CRM

Detailed vulnerability description

The vulnerability allows a remote privileged user to execute arbitrary code.

Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension "php3" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using "<? ?>" tags, as demonstrated by a CompanyDetailsSave action. This bypasses the bad-file-extensions protection mechanism. It is related to actions/CompanyDetailsSave.php, actions/UpdateCompanyLogo.php, and models/CompanyDetails.php.


How to mitigate CVE-2019-5009

Install update from vendor's website.

Sources