CVE-2010-3910
vtiger CRM < 5.2.1 - Remote File Inclusion via Language Parameter Traversal
Title source: llmDescription
Multiple directory traversal vulnerabilities in the return_application_language function in include/utils/utils.php in vtiger CRM before 5.2.1 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the lang_crm parameter to phprint.php or (2) the current_language parameter in an Accounts Import action to graph.php.
References (5)
Core 5
Core References
Various Sources x_refsource_misc
http://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt
Various Sources x_refsource_misc
http://vtiger.com/blogs/2010/11/16/vtiger-crm-521-is-released/
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/42246
Third Party Advisory x_refsource_misc
http://wiki.vtiger.com/index.php/Vtiger521:Release_Notes
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/514846/100/0/threaded
Scores
EPSS
0.0737
EPSS Percentile
93.7%
Details
CWE
CWE-22
Status
published
Products (18)
vtiger/vtiger_crm
1.0
vtiger/vtiger_crm
2.0
vtiger/vtiger_crm
2.0.1
vtiger/vtiger_crm
2.1
vtiger/vtiger_crm
3
vtiger/vtiger_crm
3.0 (2 CPE variants)
vtiger/vtiger_crm
3.2
vtiger/vtiger_crm
4 (3 CPE variants)
vtiger/vtiger_crm
4.0
vtiger/vtiger_crm
4.0.1
... and 8 more
Published
Nov 26, 2010
Tracked Since
Feb 18, 2026