Re: CVE Request: vTiger CRM 5.2.x <= Remote Code Execution Vulnerability

[Tomas Hoger <thoger () redhat com>]

On Wed, 5 Oct 2011 18:07:59 +0800 YGN Ethical Hacker Group wrote:

> vTiger CRM 5.2.x <= Remote Code Execution Vulnerability

...

> vTiger uses the vulnerable version of phpmailer class file located at
> /cron/class.phpmailer.php .

...

> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3215

As you point out, application embeds a vulnerable copy of some other
application, and the issue already has CVE assigned.  In such cases,
phpmailer CVE should be used in the vtiger updates (if any).

> It was launched as a fork of version 1.0 of the SugarCRM project
> launched on December 31st, 2004.

Wonder if any of the other reported issues are really sugarcrm issue
that did not get fix in vtiger.

-- 
Tomas Hoger / Red Hat Security Response Team