CVE-2013-3591

HIGH

vtiger CRM 5.3 and 5.4 - Unrestricted Upload of File with Dangerous Type

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2013-3591. PoCs published by Metasploit, including Metasploit module exploits/multi/http/vtiger_php_exec.

AI-analyzed exploit summary This Metasploit module exploits an authenticated file upload vulnerability in vTiger CRM 5.4.0 and 5.3.0, allowing arbitrary PHP code execution by uploading a malicious PHP script to the 'files' directory.

Description

vTiger CRM 5.3 and 5.4: 'files' Upload Folder Arbitrary PHP Code Execution Vulnerability

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotephp

https://www.exploit-db.com/exploits/29319

View Code ZIP pw:eip

This Metasploit module exploits an authenticated file upload vulnerability in vTiger CRM 5.4.0 and 5.3.0, allowing arbitrary PHP code execution by uploading a malicious PHP script to the 'files' directory.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: vTiger CRM v5.4.0, v5.3.0

Auth required

Prerequisites: Valid credentials for vTiger CRM · Access to the file upload functionality

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/vtiger_php_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits an authenticated file upload vulnerability in vTiger CRM, allowing arbitrary PHP code execution by uploading a malicious PHP script to the 'files' directory. The exploit leverages insufficient folder permissions to achieve remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: vTiger CRM v5.4.0, v5.3.0

Auth required

Prerequisites: Valid credentials for vTiger CRM · Access to the file upload functionality

MITRE ATT&CK

T1105 - Ingress Tool Transfer T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit, Third Party Advisory x_refsource_misc

https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats

Third Party Advisory x_refsource_misc

https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-foss-disclosures-part-one

Third Party Advisory, VDB Entry x_refsource_misc

http://www.securityfocus.com/bid/63454

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://www.exploit-db.com/exploits/29319

Scores

CVSS v3 8.8

EPSS 0.4310

EPSS Percentile 98.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (2)

vtiger/vtiger_crm 5.3.0

vtiger/vtiger_crm 5.4.0

Published Feb 07, 2020

Tracked Since Feb 18, 2026