vtiger CRM Suffers from Multiple Problems

If you had to close your eyes and visualize what computers will look and feel like in fifty years time, what do you see? Do you think that the internet will change much in the next fifty years and if so, how vast do you think these changes will be? Do you think that if computers and technology advance in the next fifty years that the fixes for computer security vulnerabilities will also advance? The fixes, patches and updates may advance, but no matter how big the advancement in computers and technology is, the internet will most probably still experience vulnerabilities. Sometimes not one but multiple vulnerabilities occur in one program or application. This is currently the case with regards to the multiple vulnerabilities recently discovered in vtiger CRM.

Let me get down to giving you a brief about vtiger CRM. vtiger CRM is a fully functional software that is geared towards both small and medium size companies. It is open source which is fantastic because it provides users all over the world with its wonderful benefits. It also provides its users with many extensibility and customization features that enable users to meet the needs of their businesses. vtiger CRM is available for both Linux as well as Windows operating systems. This includes the Windows Millennium Edition. Some of the files of the Windows Millennium Edition include: annui.exe, apcompat.inf, copy.inf as well as control.inf.

Now let me give you more details about some of these multiple vulnerabilities. One vulnerability that exists can add additional RSS feeds if it is exploited in the correct manner. There is also a problem with regard to the file upload function due to a specific email module, which does not check files names and extensions thoroughly. There is also a severe problem which pertains to certain input, which is passed to the parameter "module" in graph.php, not being properly verified prior to being used to include files. If this particular issue is successfully exploited by malicious online attackers, it could result in the execution of arbitrary HTML and script code.

You may be wondering if these are all the vulnerabilities. The answer is no, I will tell you about a few more. The application doesn't restrict their users from deleting and inserting file attachments they way that it should. It also fails to restrict its users from overwriting certain elements when it comes to the "Account Billing Address" and the "Shipping Address". This is not the end of it; the application also doesn't restrict users from gaining access to certain disabled fields in the manner in which it should do so. This issue may be exploited by malicious online attackers by creating a custom view, for the specific calendar.

Table 1. The impact of these vulnerabilities.

At this point you may be wondering which version of vtiger CRM is vulnerable? The vulnerable version is vtiger CRM 5.x. All users should be aware of the factor that other versions may also be vulnerable to these multiple vulnerabilities. All these vulnerabilities have been rated as moderately critical. If you would like to know what you can do in order to remain safe, you can apply the updated and recently released Vendor patches as soon as possible.