CVE-2014-1222

vtiger CRM < 6.0.0 - Authenticated Path Traversal via KCFinder File Parameter

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2014-1222. PoCs published by Portcullis, DaOne.

AI-analyzed exploit summary This is a local file inclusion (LFI) vulnerability in Vtiger CRM's 'kcfinder' component, allowing authenticated attackers to read arbitrary files via directory traversal sequences. The PoC demonstrates retrieving the /etc/passwd file.

Description

Directory traversal vulnerability in kcfinder/browse.php in Vtiger CRM before 6.0.0 Security patch 1 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter in a download action. NOTE: it is likely that this issue is actually in the KCFinder third-party component, and it affects additional products besides Vtiger CRM.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Portcullis · textwebappsphp

https://www.exploit-db.com/exploits/32213

View Code ZIP pw:eip

This is a local file inclusion (LFI) vulnerability in Vtiger CRM's 'kcfinder' component, allowing authenticated attackers to read arbitrary files via directory traversal sequences. The PoC demonstrates retrieving the /etc/passwd file.

Classification

Working Poc 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Vtiger CRM 5.4.0, 6.0 RC & 6.0.0 GA

Auth required

Prerequisites: Authenticated access to the Vtiger CRM application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by DaOne · textwebappsphp

https://www.exploit-db.com/exploits/27597

View Code ZIP pw:eip

This exploit demonstrates a directory traversal vulnerability in KCFinder, allowing an attacker to disclose arbitrary local files by manipulating the 'dir' and 'file' parameters in a POST request.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: KCFinder 2.51 and older versions

No auth needed

Prerequisites: Access to the KCFinder browse.php endpoint

MITRE ATT&CK

T1006 - Direct Volume Access

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

webappsphp

https://www.exploit-db.com/exploits/36581

View Code ZIP pw:eip

The provided exploit demonstrates multiple SQL injection vulnerabilities in FiyoCMS 2.0.1.8, including UNION-based, error-based, and time-based blind SQLi. It includes detailed payloads and Sqlmap outputs for specific parameters like 'id', 'cat', 'level', and 'user'.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: FiyoCMS 2.0.1.8

No auth needed

Prerequisites: Access to the vulnerable FiyoCMS instance

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit x_refsource_misc

https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-1222/

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/531423/100/0/threaded

Patch x_refsource_confirm

http://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%206.0.0/Add-ons/vtigercrm-600-security-patch1.zip/download

Scores

EPSS 0.0880

EPSS Percentile 94.5%

Details

CWE

CWE-22

Status published

Products (1)

vtiger/vtiger_crm < 6.0.0

Published Aug 12, 2014

Tracked Since Feb 18, 2026