CVE-2023-46304

HIGH

vtiger CRM 7.5.0 - Authenticated Remote Code Execution via Config File Write

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-46304. PoCs published by jselliott.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2023-46304, an authenticated remote code execution vulnerability in VTiger CRM Open Source v7.5.0. The vulnerability arises from insufficient validation in the currency name update functionality, allowing arbitrary PHP code injection into config.inc.php.

Description

modules/Users/models/Module.php in Vtiger CRM 7.5.0 allows a remote authenticated attacker to run arbitrary PHP code because an unprotected endpoint allows them to write this code to the config.inc.php file (executed on every page load).

Exploits (1)

nomisec WRITEUP 1 stars
by jselliott · poc
https://github.com/jselliott/CVE-2023-46304

This repository provides a detailed technical analysis of CVE-2023-46304, an authenticated remote code execution vulnerability in VTiger CRM Open Source v7.5.0. The vulnerability arises from insufficient validation in the currency name update functionality, allowing arbitrary PHP code injection into config.inc.php.

Classification
Writeup 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: VTiger CRM Open Source v7.5.0
Auth required
Prerequisites: Authenticated session · CSRF token · Access to the Users module
mistral-large-3 · analyzed Feb 18, 2026 Full analysis →

Scores

CVSS v3 8.1
EPSS 0.0166
EPSS Percentile 73.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-74
Status published
Products (1)
vtiger/vtiger_crm 7.5.0
Published Apr 30, 2024
Tracked Since Feb 18, 2026