CVE-2023-46304
HIGHvtiger CRM 7.5.0 - Authenticated Remote Code Execution via Config File Write
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2023-46304. PoCs published by jselliott.
AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2023-46304, an authenticated remote code execution vulnerability in VTiger CRM Open Source v7.5.0. The vulnerability arises from insufficient validation in the currency name update functionality, allowing arbitrary PHP code injection into config.inc.php.
Description
modules/Users/models/Module.php in Vtiger CRM 7.5.0 allows a remote authenticated attacker to run arbitrary PHP code because an unprotected endpoint allows them to write this code to the config.inc.php file (executed on every page load).
Exploits (1)
This repository provides a detailed technical analysis of CVE-2023-46304, an authenticated remote code execution vulnerability in VTiger CRM Open Source v7.5.0. The vulnerability arises from insufficient validation in the currency name update functionality, allowing arbitrary PHP code injection into config.inc.php.
References (4)
Scores
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H