AOH :: HP Unsorted M :: VA1098.HTM

Multiple Cross Site Scripting (XSS) Vulnerabilities in vtigerCRM 5.0.4, CVE-2008-3101



Multiple Cross Site Scripting (XSS) Vulnerabilities in vtigerCRM 5.0.4, CVE-2008-3101
Multiple Cross Site Scripting (XSS) Vulnerabilities in vtigerCRM 5.0.4, CVE-2008-3101



This is a MIME-formatted message.  If you see this text it means that your
E-mail software does not support MIME-formatted messages.

--=_zucker.schokokeks.org-27956-1220261044-0001-2
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

Multiple Cross Site Scripting (XSS) Vulnerabilities in vtigerCRM 5.0.4,
CVE-2008-3101 

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3101 
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3101 
http://www.vtiger.de/ 

Description

vtigerCRM is a Open Source Customer Relationship Management (CRM)
Software. The application is vulnerable to simple Cross Site Scripting,
which can be used for several isues 

Example

Assuming vtigerCRM is installed on http://localhost/vtigercrm/, one can 
inject JavaScript with:
 
 
 

Workaround/Fix

vtiger CRM Security Patch for 5.0.4 [1]

Disclosure Timeline

2008-07-28 Vendor contacted
2008-07-28 Vendor fixed issue in test environment
2008-07-30 Vender released patch
2008-07-30 Vendor dev statet they'll release a second patch within days
2008-09-01 published advisory, no second patch from upstream yet

CVE Information

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-3101 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for 
security problems. Credits and copyright

This vulnerability was discovered by Fabian Fingerle [2] (published with
help from Hanno Boeck [3]). It's licensed under the creative
commons attribution license [4].

Fabian Fingerle, 2008-09-01

[1] http://www.vtiger.de/vtiger-crm/downloads/patches.html?tx_abdownloads_pi1[action]=getviewdetailsfordownload&tx_abdownloads_pi1[uid]=128&tx_abdownloads_pi1[category_uid]=5&cHash=e16be773a5 
[2] http://www.fabian-fingerle.de 
[3] http://www.hboeck.de 
[4] http://creativecommons.org/licenses/by/3.0/de/ 

-- 
_GPG_ 3D17 CAC8 1955 1908 65ED  5C51 FDA3 6A09 AB41 AB85
_chaos events near stuttgart_ www.datensalat.eu 

--=_zucker.schokokeks.org-27956-1220261044-0001-2
Content-Type: application/pgp-signature; name="signature.asc"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename=signature.asc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAki7tLMACgkQ/aNqCatBq4WN1ACfcQdkqv37thokF2y7/KYjxza5
uo0AoKbJaDvI3wfzekUz5iVel9pUd7g7
=MD2c
-----END PGP SIGNATURE-----

--=_zucker.schokokeks.org-27956-1220261044-0001-2--

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.