Vulnerability Description
Multiple directory traversal vulnerabilities in index.php in vTiger CRM 4.2 and earlier allow remote attackers to read or include arbitrary files, an ultimately execute arbitrary PHP code, via .. (dot dot) and null byte ("%00") sequences in the (1) module parameter and (2) action parameter in the Leads module, as also demonstrated by injecting PHP code into log messages and accessing the log file.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vtiger | Vtiger Crm | <= 4.2 |
References
- http://marc.info/?l=full-disclosure&m=113290708121951&w=2
- http://secunia.com/advisories/17693Vendor Advisory
- http://securitytracker.com/id?1015271
- http://securitytracker.com/id?1015274
- http://www.hardened-php.net/advisory_232005.105.htmlVendor Advisory
- http://www.securityfocus.com/archive/1/417711/30/0/threaded
- http://www.securityfocus.com/archive/1/417730/30/0/threaded
- http://www.securityfocus.com/bid/15562Exploit
- http://www.securityfocus.com/bid/15569
- http://www.vupen.com/english/advisories/2005/2569
- http://marc.info/?l=full-disclosure&m=113290708121951&w=2
- http://secunia.com/advisories/17693Vendor Advisory
- http://securitytracker.com/id?1015271
- http://securitytracker.com/id?1015274
- http://www.hardened-php.net/advisory_232005.105.htmlVendor Advisory
FAQ
What is CVE-2005-3820?
CVE-2005-3820 is a vulnerability with a CVSS score of 6.4 (MEDIUM). Multiple directory traversal vulnerabilities in index.php in vTiger CRM 4.2 and earlier allow remote attackers to read or include arbitrary files, an ultimately execute arbitrary PHP code, via .. (dot...
How severe is CVE-2005-3820?
CVE-2005-3820 has been rated MEDIUM with a CVSS base score of 6.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2005-3820?
Check the references section above for vendor advisories and patch information. Affected products include: Vtiger Vtiger Crm.