CVE-2008-3101

vtiger CRM 5.0.4 - Cross-Site Scripting via Parenttab, User Password, or Query String Parameters

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-3101. PoCs published by Fabian Fingerle.

AI-analyzed exploit summary The exploit demonstrates multiple XSS vulnerabilities in vtiger CRM by injecting script tags into URL parameters. It targets unsanitized input in the 'module', 'action', and 'query_string' parameters.

Description

Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to inject arbitrary web script or HTML via (1) the parenttab parameter in an index action to the Products module, as reachable through index.php; (2) the user_password parameter in an Authenticate action to the Users module, as reachable through index.php; or (3) the query_string parameter in a UnifiedSearch action to the Home module, as reachable through index.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Fabian Fingerle · textwebappsphp

https://www.exploit-db.com/exploits/32307

View Code ZIP pw:eip

The exploit demonstrates multiple XSS vulnerabilities in vtiger CRM by injecting script tags into URL parameters. It targets unsanitized input in the 'module', 'action', and 'query_string' parameters.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: vtiger CRM 5.0.4

No auth needed

Prerequisites: Access to the target vtiger CRM instance

MITRE ATT&CK