← Advisories

vtiger CRM 5.2.1 Multiple Remote Cross-Site Scripting Vulnerabilities

Medium
Advisory ID
ZSL-2011-5052
Release Date
26 October 2011
Vendor
vTiger - http://www.vtiger.com
Affected Version
5.2.1
CVE
N/A
Tested On
Microsoft Windows XP Professional SP3 (EN), Apache/2.0.52 (Win32), PHP/5.2.6, MySQL 5.0.51b-community-nt-log
Summary

vtiger CRM is a free, full-featured, 100% Open Source CRM software ideal for small and medium businesses, with low-cost product support available to production users that need reliable support.

Description

vtiger CRM suffers from a XSS vulnerability when parsing user input to the '_operation' and 'search' parameters via GET method in '/modules/mobile/index.php' script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.

Proof of Concept
vtiger_xss.txtTXT
Disclosure Timeline
28.07.2011Vulnerabilities discovered.
28.07.2011Initial contact with the vendor.
29.07.2011Vendor replies asking more details.
29.07.2011Sent details to vendor.
01.08.2011Requested status update from vendor.
02.08.2011Vendor investigates and confirms issues.
02.08.2011Asked vendor for patch release date.
04.08.2011No reply from vendor.
05.08.2011Asked vendor to specify patch release date.
05.08.2011Vendor plans to release the 5.3.0 RC by the end of the month.
21.08.2011Asked vendor for specific patch release date.
22.08.2011Vendor replies promising official release by mid September.
14.09.2011Asked vendor for update.
14.09.2011Vendor replies extending official release date.
26.10.2011Coordinated public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://wiki.vtiger.com/index.php/Vtiger530:Release_Notes
[2]http://www.exploit-db.com/ghdb/3737/
[3]http://packetstormsecurity.org/files/106229
[4]http://securityreason.com/wlb_show/WLB-2011100099
[5]http://secunia.com/advisories/42304/
[6]http://www.securityfocus.com/bid/50364
[7]http://xforce.iss.net/xforce/xfdb/70983
Changelog
26.10.2011Initial release
27.10.2011Added reference [7]