Is CVE-2019-5009 actively exploited?

CVE-2019-5009 has no public evidence of in-the-wild exploitation as of 2024-11-21.

What is the CVSS score for CVE-2019-5009?

CVE-2019-5009 has a CVSS score of 7.2 (HIGH severity). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.

How do I patch CVE-2019-5009?

Patch guidance is available from vtiger security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2019-5009.

Which products are affected by CVE-2019-5009?

2 products: vtiger vtiger crm, vtiger vtiger crm.

Fix CVE-2019-5009 - HIGH vtiger vtiger crm

Description

Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension "php3" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using "<? ?>" tags, as demonstrated by a CompanyDetailsSave action. This bypasses the bad-file-extensions protection mechanism. It is related to actions/CompanyDetailsSave.php, actions/UpdateCompanyLogo.php, and models/CompanyDetails.php.

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector: network
Complexity: low
Privileges: high
User Action: none
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: high
Weaknesses: CWE-434 · Unrestricted File Upload

Metadata

Primary Vendor: VTIGER
Published: 1/4/2019
Last Modified: 11/21/2024
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

CVE-2019-5009

Description

CVSS Metrics

Metadata

Affected Products

Remediation Guidance

Executive Summary