CVE-2009-3247

vtiger CRM 5.0.4 - Cross-Site Scripting via Activities Module Action Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-3247. PoCs published by USH.

AI-analyzed exploit summary This is a detailed technical advisory describing multiple vulnerabilities in Vtiger CRM 5.0.4, including RCE (Windows-specific), CSRF, LFI, and XSS. It provides root cause analysis, exploitation methodologies, and specific code paths but does not include functional exploit code.

Description

Cross-site scripting (XSS) vulnerability in the Activities module in vtiger CRM 5.0.4 allows remote attackers to inject arbitrary web script or HTML via the action parameter to phprint.php. NOTE: the query_string vector is already covered by CVE-2008-3101.3.

Exploits (1)

exploitdb WRITEUP VERIFIED

by USH · textwebappsphp

https://www.exploit-db.com/exploits/9450

View Code ZIP pw:eip

This is a detailed technical advisory describing multiple vulnerabilities in Vtiger CRM 5.0.4, including RCE (Windows-specific), CSRF, LFI, and XSS. It provides root cause analysis, exploitation methodologies, and specific code paths but does not include functional exploit code.

Classification

Writeup 100%

Attack Type

Rce | Lfi | Csrf | Xss

Complexity

Moderate

Reliability

Theoretical

Target: Vtiger CRM 5.0.4

Auth required

Prerequisites: Valid user account for RCE and some LFI exploits · Windows OS for RCE via filename manipulation

MITRE ATT&CK