CVE-2013-3213

vtiger CRM 5.0.0-5.4.0 - SQL Injection via Picklist Name or Email Address Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-3213.

AI-analyzed exploit summary This is a detailed technical writeup describing multiple vulnerabilities in vtiger CRM, including Local File Inclusion (LFI) and SQL Injection (SQLi) flaws. It provides code snippets, affected versions, and technical analysis of the vulnerabilities.

Description

Multiple SQL injection vulnerabilities in vTiger CRM 5.0.0 through 5.4.0 allow remote attackers to execute arbitrary SQL commands via the (1) picklist_name parameter in the get_picklists method to soap/customerportal.php, (2) where parameter in the get_tickets_list method to soap/customerportal.php, or (3) emailaddress parameter in the SearchContactsByEmail method to soap/vtigerolservice.php; or remote authenticated users to execute arbitrary SQL commands via the (4) emailaddress parameter in the SearchContactsByEmail method to soap/thunderbirdplugin.php.

Exploits (1)

exploitdb WRITEUP

webappsphp

https://www.exploit-db.com/exploits/27279

View Code ZIP pw:eip

This is a detailed technical writeup describing multiple vulnerabilities in vtiger CRM, including Local File Inclusion (LFI) and SQL Injection (SQLi) flaws. It provides code snippets, affected versions, and technical analysis of the vulnerabilities.

Classification

Writeup 100%

Attack Type

Sqli | Lfi

Complexity

Moderate

Reliability

Reliable

Target: vtiger CRM <= 5.4.0

No auth needed

Prerequisites: Access to the SOAP endpoint · PHP < 5.3.4 for LFI exploitation

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1105 - Ingress Tool Transfer

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (5)

Core 5

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/61563

Exploit x_refsource_misc

http://karmainsecurity.com/KIS-2013-06

Exploit mailing-list x_refsource_bugtraq

http://archives.neohapsis.com/archives/bugtraq/2013-08/0001.html

Various Sources x_refsource_confirm

https://www.vtiger.com/blogs/?p=1467

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/86129

Scores

EPSS 0.0321

EPSS Percentile 86.5%

Details

CWE

CWE-89

Status published

Products (10)

vtiger/vtiger_crm 5.0.0

vtiger/vtiger_crm 5.0.1

vtiger/vtiger_crm 5.0.2

vtiger/vtiger_crm 5.0.3

vtiger/vtiger_crm 5.0.4 (2 CPE variants)

vtiger/vtiger_crm 5.1.0 (2 CPE variants)

vtiger/vtiger_crm 5.2.0

vtiger/vtiger_crm 5.2.1

vtiger/vtiger_crm 5.3.0

vtiger/vtiger_crm 5.4.0

Published Apr 02, 2014

Tracked Since Feb 18, 2026