|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 4208 CVE : CVE-2008-3101 CWE : CWE-79 SecurityRisk : Low  (About) Remote Exploit : Yes Local Exploit : Yes Victim interaction required : Yes Exploit Available : No Credit : Fabian Fingerle Published : 04.09.2008
Advisory Content : Multiple Cross Site Scripting (XSS) Vulnerabilities in vtigerCRM 5.0.4, CVE-2008-3101 References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3101 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3101 http://www.vtiger.de/ Description vtigerCRM is a Open Source Customer Relationship Management (CRM) Software. The application is vulnerable to simple Cross Site Scripting, which can be used for several isues Example Assuming vtigerCRM is installed on http://localhost/vtigercrm/, one can inject JavaScript with: http://localhost/vtigercrm/index.php?module=Products&action=index&parent tab="><script>alert(1);</script> http://localhost/vtigercrm/index.php?module=Users&action=Authenticate&us er_password="><script>alert(1);</script> http://localhost/vtigercrm/index.php?module=Home&action=UnifiedSearch&qu ery_string="><script>alert(1);</script> Workaround/Fix vtiger CRM Security Patch for 5.0.4 [1] Disclosure Timeline 2008-07-28 Vendor contacted 2008-07-28 Vendor fixed issue in test environment 2008-07-30 Vender released patch 2008-07-30 Vendor dev statet they'll release a second patch within days 2008-09-01 published advisory, no second patch from upstream yet CVE Information The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-3101 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. Credits and copyright This vulnerability was discovered by Fabian Fingerle [2] (published with help from Hanno Boeck [3]). It's licensed under the creative commons attribution license [4]. Fabian Fingerle, 2008-09-01 [1] http://www.vtiger.de/vtiger-crm/downloads/patches.html?tx_abdownloads_pi 1[action]=getviewdetailsfordownload&tx_abdownloads_pi1[uid]=128&tx_abdow nloads_pi1[category_uid]=5&cHash=e16be773a5 [2] http://www.fabian-fingerle.de [3] http://www.hboeck.de [4] http://creativecommons.org/licenses/by/3.0/de/ -- _GPG_ 3D17 CAC8 1955 1908 65ED 5C51 FDA3 6A09 AB41 AB85 _chaos events near stuttgart_ www.datensalat.eu -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAki7tLMACgkQ/aNqCatBq4WN1ACfcQdkqv37thokF2y7/KYjxza5 uo0AoKbJaDvI3wfzekUz5iVel9pUd7g7 =MD2c -----END PGP SIGNATURE----- References : http://www.securityfocus.com/bid/30951
http://secunia.com/advisories/31679
http://xforce.iss.net/xforce/xfdb/44792
http://www.vtiger.de/vtiger-crm/downloads/patches.html?tx_abdownloads_pi1[action]=getviewdetailsfordownload&tx_abdownloads_pi1[uid]=128&tx_abdownloads_pi1[category_uid]=5&cHash=e16be773a5
http://www.securityfocus.com/archive/1/archive/1/495885/100/0/threaded
http://www.frsirt.com/english/advisories/2008/2471
http://www.datensalat.eu/~fabian/cve/CVE-2008-3101-vtigerCRM.html  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
libc:fts_*() Multiple Denial of Service
The fts functions are provided for traversing UNIX file hierarchies... |
||
| Apache |  |
|
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
| PHP | |
|
» PHP 5.2.12/5.3.1 |
||
- 2009-10-02| Copyright © SecurityReason.com. All Rights Reserved. |