Description
Vtiger CRM before 5.0.4 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read mail merge templates via a direct request to the wordtemplatedownload directory.
References (7)
Core 7
Core References
Patch, Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/27228
Broken Link x_refsource_confirm
http://sourceforge.net/project/shownotes.php?release_id=567189
Broken Link vdb-entry
x_refsource_osvdb
http://www.osvdb.org/40218
Vendor Advisory x_refsource_confirm
http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2107
Vendor Advisory x_refsource_confirm
http://wiki.vtiger.com/index.php/Vtiger_CRM_5.0.4_-_Release_Notes
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/28370
Exploit, Vendor Advisory x_refsource_misc
http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/11811
Scores
EPSS
0.0280
EPSS Percentile
84.8%
Details
CWE
CWE-200
Status
published
Products (1)
vtiger/vtiger_crm
< 5.0.3
Published
Aug 04, 2008
Tracked Since
Feb 18, 2026