oss-sec mailing list archives
Re: CVE Request: vTiger CRM 5.2.x <= Remote Code Execution Vulnerability
From: Tomas Hoger <thoger () redhat com>
Date: Wed, 5 Oct 2011 12:37:10 +0200
On Wed, 5 Oct 2011 18:07:59 +0800 YGN Ethical Hacker Group wrote:
vTiger CRM 5.2.x <= Remote Code Execution Vulnerability
...
vTiger uses the vulnerable version of phpmailer class file located at /cron/class.phpmailer.php .
...
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3215
As you point out, application embeds a vulnerable copy of some other application, and the issue already has CVE assigned. In such cases, phpmailer CVE should be used in the vtiger updates (if any).
It was launched as a fork of version 1.0 of the SugarCRM project launched on December 31st, 2004.
Wonder if any of the other reported issues are really sugarcrm issue that did not get fix in vtiger. -- Tomas Hoger / Red Hat Security Response Team
Current thread:
- CVE Request: vTiger CRM 5.2.x <= Remote Code Execution Vulnerability YGN Ethical Hacker Group (Oct 05)
- Re: CVE Request: vTiger CRM 5.2.x <= Remote Code Execution Vulnerability Tomas Hoger (Oct 05)