CVE-2014-2268

views/Index.php in the Install module in vTiger 6.0 before Security Patch 2 does not properly restrict access, which allows remote attackers to re-install the application via a request that sets the X-Requested-With HTTP header, as demonstrated by executing arbitrary PHP code via the db_name parameter.

Published: Nov 16, 2014
Updated: Apr 13, 2023
CVE: CVE-2014-2268
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:N/A:P

CWEs:

CWE-264

Affected Software
References

Software	From	Fixed in
vtiger / vtiger_crm	5.0.3	5.0.3.x
vtiger / vtiger_crm	5.0.1	5.0.1.x
vtiger / vtiger_crm	5.3.0	5.3.0.x
vtiger / vtiger_crm	5.1.0	5.1.0.x
vtiger / vtiger_crm	5.2.0	5.2.0.x
vtiger / vtiger_crm	2.0.1	2.0.1.x
vtiger / vtiger_crm	2.0	2.0.x
vtiger / vtiger_crm	4.2	4.2.x
vtiger / vtiger_crm	5.0.4	5.0.4.x
vtiger / vtiger_crm	6.0.0	6.0.0.x
vtiger / vtiger_crm	5.4.0	5.4.0.x
vtiger / vtiger_crm	2.1	2.1.x
vtiger / vtiger_crm	5.1.0-rc	5.1.0-rc.x
vtiger / vtiger_crm	4	4.x
vtiger / vtiger_crm	4.0	4.0.x
vtiger / vtiger_crm	3.0-beta	3.0-beta.x
vtiger / vtiger_crm	3.0	3.0.x
vtiger / vtiger_crm	4-rc1	4-rc1.x
vtiger / vtiger_crm	5.0.0	5.0.0.x
vtiger / vtiger_crm	5.0.2	5.0.2.x
vtiger / vtiger_crm	3.2	3.2.x
vtiger / vtiger_crm	5.0.4-rc	5.0.4-rc.x
vtiger / vtiger_crm	1.0	1.0.x
vtiger / vtiger_crm	4-beta	4-beta.x
vtiger / vtiger_crm	4.2.4	4.2.4.x
vtiger / vtiger_crm	5.2.1	5.2.1.x
vtiger / vtiger_crm	4.0.1	4.0.1.x
vtiger / vtiger_crm	6.0.0-sp1	6.0.0-sp1.x
vtiger / vtiger_crm	6.0.0-rc	6.0.0-rc.x
vtiger / vtiger_crm	6.0.0-beta	6.0.0-beta.x

Vulnerability Database

289,697

CVE-2014-2268