CVE-2023-46304

HIGH

Vtiger CRM 7.5.0 - Code Injection

Title source: llm

Description

modules/Users/models/Module.php in Vtiger CRM 7.5.0 allows a remote authenticated attacker to run arbitrary PHP code because an unprotected endpoint allows them to write this code to the config.inc.php file (executed on every page load).

Exploits (1)

nomisec WRITEUP 1 stars

by jselliott · poc

https://github.com/jselliott/CVE-2023-46304

View Code ZIP pw:eip

References (4)

Core 4

Core References

Product

https://code.vtiger.com/vtiger/vtigercrm/-/blob/master/modules/Users/models/Module.php

Patch

https://code.vtiger.com/vtiger/vtigercrm/-/commit/317f9ca88b6bbded11058f20a1d232717c360d43

Exploit

https://github.com/jselliott/CVE-2023-46304

Product

https://www.vtiger.com/

Scores

CVSS v3 8.1

EPSS 0.2076

EPSS Percentile 95.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-74

Status published

Products (1)

vtiger/vtiger_crm 7.5.0

Published Apr 30, 2024

Tracked Since Feb 18, 2026