VULHUB ™

vtiger CRM 5.0.4版本中存在多个目录遍历漏洞。远程攻击者可以借助(1)对graph.php的模块参数; 或(2)模块或(3)对include/Ajax/CommonAjax.php的可以从modules/Campaigns/CampaignsAjax.php，modules/SalesOrder/SalesOrderAjax.php,modules/System/SystemAjax.php,modules/Products/ProductsAjax.php,modules/uploads/uploadsAjax.php,modules/Dashboard/DashboardAjax.php,modules/Potentials/PotentialsAjax.php,modules/Notes/NotesAjax.php, modules/Faq/FaqAjax.php, odules/Quotes/QuotesAjax.php,modules/Utilities/UtilitiesAjax.php,modules/Calendar/ActivityAjax.php,modules/Calendar/CalendarAjax.php,modules/PurchaseOrder/PurchaseOrderAjax.php,modules/HelpDesk/HelpDeskAjax.php,modules/Invoice/InvoiceAjax.php,modules/Accounts/AccountsAjax.php,modules/Reports/ReportsAjax.php,modules/Contacts/ContactsAjax.php以及modules/Portal/PortalAjax.php中获得的文件参数中的一个..，包括和执行任意本地文件；远程认证用户可以借助对(4)Accounts,(5)Contacts,(6) elpDesk,(7)Leads,(8)Potentials,(9)Products,或(10)Vendors模块并可以从index.php和modules/Import/index.php和多个Import.php文件中获得的一个输入操作的step参数的..，包括和执行任意本地文件。

vtiger CRM 5.0.4版本中存在多个目录遍历漏洞。远程攻击者可以借助(1)对graph.php的模块参数; 或(2)模块或(3)对include/Ajax/CommonAjax.php的可以从modules/Campaigns/CampaignsAjax.php，modules/SalesOrder/SalesOrderAjax.php,modules/System/SystemAjax.php,modules/Products/ProductsAjax.php,modules/uploads/uploadsAjax.php,modules/Dashboard/DashboardAjax.php,modules/Potentials/PotentialsAjax.php,modules/Notes/NotesAjax.php, modules/Faq/FaqAjax.php, odules/Quotes/QuotesAjax.php,modules/Utilities/UtilitiesAjax.php,modules/Calendar/ActivityAjax.php,modules/Calendar/CalendarAjax.php,modules/PurchaseOrder/PurchaseOrderAjax.php,modules/HelpDesk/HelpDeskAjax.php,modules/Invoice/InvoiceAjax.php,modules/Accounts/AccountsAjax.php,modules/Reports/ReportsAjax.php,modules/Contacts/ContactsAjax.php以及modules/Portal/PortalAjax.php中获得的文件参数中的一个..，包括和执行任意本地文件；远程认证用户可以借助对(4)Accounts,(5)Contacts,(6) elpDesk,(7)Leads,(8)Potentials,(9)Products,或(10)Vendors模块并可以从index.php和modules/Import/index.php和多个Import.php文件中获得的一个输入操作的step参数的..，包括和执行任意本地文件。