http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3101
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3101
http://www.vtiger.de/
vtigerCRM is a Open Source Customer Relationship Management (CRM) Software.
The application is vulnerable to simple Cross Site Scripting, which can be used for several isues
Assuming vtigerCRM is installed on http://localhost/vtigercrm/, one can inject JavaScript with:
http://localhost/vtigercrm/index.php?module=Products&action=index&parenttab="><script>alert(1);</script>
http://localhost/vtigercrm/index.php?module=Users&action=Authenticate&user_password="><script>alert(1);</script>
http://localhost/vtigercrm/index.php?module=Home&action=UnifiedSearch&query_string="><script>alert(1);</script>
...
vtiger CRM Security Patch for 5.0.4
2008-07-28 Vendor contacted
2008-07-28 Vendor fixed issue in test environment
2008-07-30 Vender released patch
2008-07-30 Vendor dev statet they'll release a second patch within days
2008-09-01 published advisory, no second patch from upstream yet
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-3101 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.
This vulnerability was discovered by Fabian Fingerle (published with help from seracom GmbH and Hanno Boeck).
It's licensed under the
creative commons attribution license.
Fabian Fingerle, 2008-09-01, http://www.fabian-fingerle.de