CVE-2011-4670— vTiger CRM跨站脚本漏洞

N/A

Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 5.2.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) viewname parameter in a CalendarAjax action, (2) activity_mode parameter in a DetailView action, (3) contact_id and (4) parent_id parameters in an EditView action, (5) day, (6) month, (7) subtab, (8) view, and (9) viewOption parameters in the index action, and (10) start parameter in the ListView action to the Calendar module; (11) return_action and (12) return_module parameters in the EditView action, and (13) query parameter in an index action to the Campaigns module; (14) return_url and (15) workflow_id parameters in an editworkflow action to the com_vtiger_workflow module; (16) display_view parameter in an index action to the Dashboard module; (17) closingdate_end, (18) closingdate_start, (19) date_closed, (20) owner, (21) leadsource, (22) sales_stage, and (23) type parameters in a ListView action to the Potentials module; (24) folderid parameter in a SaveandRun action to the Reports module; (25) returnaction and (26) groupId parameters in a createnewgroup action, (27) mode and (28) parent parameters in a createrole action, (29) src_module in a ModuleManager action, (30) mode and (31) profile_id parameters in a profilePrivileges action, and (32) roleid parameter in a RoleDetailView to the Settings module; and (33) action parameter to the Home module and (34) module parameter to phprint.php.

N/A

N/A

vTiger CRM跨站脚本漏洞

Vtiger CRM是美国Vtiger公司的一套基于SugarCRM开发的客户关系管理系统（CRM）。该管理系统提供管理、收集、分析客户信息等功能。 vTiger CRM 5.2.1以及之前版本中存在多个跨站脚本漏洞。该漏洞源于对用户提供的数据没有经过正确的检查。远程攻击者可利用该漏洞在受影响站点上下文的未知用户浏览器中执行任意脚本代码，窃取基于cookie的认证证书进而发起其他攻击，或者可通过多个参数注入任意web脚本或者HTML，例如：viewname和activity_mode 参数。

N/A

N/A