Arbitrary file upload in Vtiger CRM - CVE-2019-5009
Published: January 4, 2019 / Updated: August 8, 2020
Vulnerability identifier: #VU36249
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-5009
CWE-ID: CWE-434
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Vtiger CRM
Vtiger CRM
Software vendor:
Vtiger
Vtiger
Description
The vulnerability allows a remote privileged user to execute arbitrary code.
Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension "php3" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using "<? ?>" tags, as demonstrated by a CompanyDetailsSave action. This bypasses the bad-file-extensions protection mechanism. It is related to actions/CompanyDetailsSave.php, actions/UpdateCompanyLogo.php, and models/CompanyDetails.php.
Remediation
Install update from vendor's website.