Vulnerability Description
modules/Users/models/Module.php in Vtiger CRM 7.5.0 allows a remote authenticated attacker to run arbitrary PHP code because an unprotected endpoint allows them to write this code to the config.inc.php file (executed on every page load).
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vtiger | Vtiger Crm | 7.5.0 |
Related Weaknesses (CWE)
References
- https://code.vtiger.com/vtiger/vtigercrm/-/blob/master/modules/Users/models/ModuProduct
- https://code.vtiger.com/vtiger/vtigercrm/-/commit/317f9ca88b6bbded11058f20a1d232Patch
- https://github.com/jselliott/CVE-2023-46304Exploit
- https://www.vtiger.com/Product
- https://code.vtiger.com/vtiger/vtigercrm/-/blob/master/modules/Users/models/ModuProduct
- https://code.vtiger.com/vtiger/vtigercrm/-/commit/317f9ca88b6bbded11058f20a1d232Patch
- https://github.com/jselliott/CVE-2023-46304Exploit
- https://www.vtiger.com/Product
FAQ
What is CVE-2023-46304?
CVE-2023-46304 is a vulnerability with a CVSS score of 8.1 (HIGH). modules/Users/models/Module.php in Vtiger CRM 7.5.0 allows a remote authenticated attacker to run arbitrary PHP code because an unprotected endpoint allows them to write this code to the config.inc.ph...
How severe is CVE-2023-46304?
CVE-2023-46304 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-46304?
Check the references section above for vendor advisories and patch information. Affected products include: Vtiger Vtiger Crm.