BID:51023

vtiger CRM Multiple CVE-2011-4680 Unspecified Cross Site Scripting Vulnerabilities

Info

vtiger CRM Multiple CVE-2011-4680 Unspecified Cross Site Scripting Vulnerabilities

Bugtraq ID:	51023
Class:	Input Validation Error
CVE:	CVE-2011-4680
Remote:	Yes
Local:	No
Published:	Dec 12 2011 12:00AM
Updated:	Dec 12 2011 12:00AM
Credit:	Unknown
Vulnerable:	vtiger vtiger CRM 5.0.4 vtiger vtiger CRM 5.0.3 vtiger vtiger CRM 4.2.4 vtiger vtiger CRM 4.2 vtiger vtiger CRM 5.0.4 RC vtiger vtiger 5.0.4 RC

Not Vulnerable:	vtiger vtiger CRM 5.3 vtiger vtiger CRM 5.2.1 vtiger vtiger CRM 5.2

Discussion

vtiger CRM Multiple CVE-2011-4680 Unspecified Cross Site Scripting Vulnerabilities

vtiger CRM is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Versions prior to vtiger CRM 5.2.0 are vulnerable.

Exploit / POC

vtiger CRM Multiple CVE-2011-4680 Unspecified Cross Site Scripting Vulnerabilities

An attacker can exploit these issues by enticing an unsuspecting victim to follow a malicious URI.

Solution / Fix

vtiger CRM Multiple CVE-2011-4680 Unspecified Cross Site Scripting Vulnerabilities

Solution:
Vendor updates are available. Please see the references for details.

References

vtiger CRM Multiple CVE-2011-4680 Unspecified Cross Site Scripting Vulnerabilities

References:

Update On Vtiger (vtiger)
vtiger Homepage (vtiger)