Web application abuses : BrowserCRM Multiple SQLi and XSS Vulnerabilities

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 146377 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.902691

Categoría: Web application abuses

Título: BrowserCRM Multiple SQLi and XSS Vulnerabilities

Resumen: BrowserCRM is prone to multiple SQL injection (SQLi) and; cross-site scripting (XSS) vulnerabilities.

Descripción: Summary:
BrowserCRM is prone to multiple SQL injection (SQLi) and
cross-site scripting (XSS) vulnerabilities.

Vulnerability Insight:
Multiple flaws are due to inputs passed via

- The 'PATH_INFO' to index.php, modules/admin/admin_module_index.php, or
modules/calendar/customise_calendar_times.php, 'login[]' parameter to
index.php or pub/clients.php and 'framed' parameter to licence/index.php
or licence/view.php is not properly verified before it is returned to
the user.

- The 'login[username]' parameter to index.php, 'parent_id' parameter to
modules/Documents/version_list.php or 'contact_id' parameter to
modules/Documents/index.php is not properly sanitized before being used
in a SQL query.

Vulnerability Impact:
Successful exploitation will allow remote attackers to execute
arbitrary web script or HTML in a user's browser session in the context of an
affected site and manipulate SQL queries by injecting arbitrary SQL code.

Affected Software/OS:
BrowserCRM version 5.100.1 and prior

Solution:
No known solution was made available for at least one year since the disclosure of this vulnerability.
Likely none will be provided anymore.
General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one.

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2011-5213
https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_browser_crm.html
http://osvdb.org/77733
http://osvdb.org/77734
http://osvdb.org/77735
http://secunia.com/advisories/47217
XForce ISS Database: browsercrm-index-versionlist-sql-injection(71828)
https://exchange.xforce.ibmcloud.com/vulnerabilities/71828
Common Vulnerability Exposure (CVE) ID: CVE-2011-5214
http://osvdb.org/77728
http://osvdb.org/77729
http://osvdb.org/77730
http://osvdb.org/77731
http://osvdb.org/77732
XForce ISS Database: browsercrm-multiple-xss(71827)
https://exchange.xforce.ibmcloud.com/vulnerabilities/71827

Copyright Copyright (C) 2012 Greenbone AG

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.902691
Categoría:	Web application abuses
Título:	BrowserCRM Multiple SQLi and XSS Vulnerabilities
Resumen:	BrowserCRM is prone to multiple SQL injection (SQLi) and; cross-site scripting (XSS) vulnerabilities.
Descripción:	Summary: BrowserCRM is prone to multiple SQL injection (SQLi) and cross-site scripting (XSS) vulnerabilities. Vulnerability Insight: Multiple flaws are due to inputs passed via - The 'PATH_INFO' to index.php, modules/admin/admin_module_index.php, or modules/calendar/customise_calendar_times.php, 'login[]' parameter to index.php or pub/clients.php and 'framed' parameter to licence/index.php or licence/view.php is not properly verified before it is returned to the user. - The 'login[username]' parameter to index.php, 'parent_id' parameter to modules/Documents/version_list.php or 'contact_id' parameter to modules/Documents/index.php is not properly sanitized before being used in a SQL query. Vulnerability Impact: Successful exploitation will allow remote attackers to execute arbitrary web script or HTML in a user's browser session in the context of an affected site and manipulate SQL queries by injecting arbitrary SQL code. Affected Software/OS: BrowserCRM version 5.100.1 and prior Solution: No known solution was made available for at least one year since the disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2011-5213 https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_browser_crm.html http://osvdb.org/77733 http://osvdb.org/77734 http://osvdb.org/77735 http://secunia.com/advisories/47217 XForce ISS Database: browsercrm-index-versionlist-sql-injection(71828) https://exchange.xforce.ibmcloud.com/vulnerabilities/71828 Common Vulnerability Exposure (CVE) ID: CVE-2011-5214 http://osvdb.org/77728 http://osvdb.org/77729 http://osvdb.org/77730 http://osvdb.org/77731 http://osvdb.org/77732 XForce ISS Database: browsercrm-multiple-xss(71827) https://exchange.xforce.ibmcloud.com/vulnerabilities/71827
Copyright	Copyright (C) 2012 Greenbone AG