CVE-2010-3910

vtiger CRM < 5.2.1 - Remote File Inclusion via Language Parameter Traversal

Title source: llm
STIX 2.1

Description

Multiple directory traversal vulnerabilities in the return_application_language function in include/utils/utils.php in vtiger CRM before 5.2.1 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the lang_crm parameter to phprint.php or (2) the current_language parameter in an Accounts Import action to graph.php.

References (5)

Core 5
Core References
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/42246
Third Party Advisory x_refsource_misc
http://wiki.vtiger.com/index.php/Vtiger521:Release_Notes
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/514846/100/0/threaded

Scores

EPSS 0.0737
EPSS Percentile 93.7%

Details

CWE
CWE-22
Status published
Products (18)
vtiger/vtiger_crm 1.0
vtiger/vtiger_crm 2.0
vtiger/vtiger_crm 2.0.1
vtiger/vtiger_crm 2.1
vtiger/vtiger_crm 3
vtiger/vtiger_crm 3.0 (2 CPE variants)
vtiger/vtiger_crm 3.2
vtiger/vtiger_crm 4 (3 CPE variants)
vtiger/vtiger_crm 4.0
vtiger/vtiger_crm 4.0.1
... and 8 more
Published Nov 26, 2010
Tracked Since Feb 18, 2026