Vulnerability Description
SQL injection vulnerability in CalendarCommon.php in vTiger CRM 5.4.0 and possibly earlier allows remote authenticated users to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php. NOTE: this issue might be a duplicate of CVE-2011-4559.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vtiger | Vtiger Crm | <= 5.4.0 |
Related Weaknesses (CWE)
References
- http://archives.neohapsis.com/archives/bugtraq/2013-09/0079.htmlThird Party Advisory
- http://osvdb.org/76138Broken Link
- http://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%205.4.0/Core%20ProdPatchThird Party Advisory
- http://www.exploit-db.com/exploits/28409ExploitThird Party Advisory
- https://www.htbridge.com/advisory/HTB23168Third Party Advisory
- http://archives.neohapsis.com/archives/bugtraq/2013-09/0079.htmlThird Party Advisory
- http://osvdb.org/76138Broken Link
- http://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%205.4.0/Core%20ProdPatchThird Party Advisory
- http://www.exploit-db.com/exploits/28409ExploitThird Party Advisory
- https://www.htbridge.com/advisory/HTB23168Third Party Advisory
FAQ
What is CVE-2013-5091?
CVE-2013-5091 is a vulnerability with a CVSS score of 6.5 (MEDIUM). SQL injection vulnerability in CalendarCommon.php in vTiger CRM 5.4.0 and possibly earlier allows remote authenticated users to execute arbitrary SQL commands via the onlyforuser parameter in an index...
How severe is CVE-2013-5091?
CVE-2013-5091 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2013-5091?
Check the references section above for vendor advisories and patch information. Affected products include: Vtiger Vtiger Crm.