Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [month] [year] [list] 
Date: Mon, 4 Aug 2008 14:49:11 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: vtigercrm < 5.0.4


======================================================
Name: CVE-2008-3458
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3458
Reference: MISC:http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/11811
Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=567189
Reference: CONFIRM:http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2107
Reference: CONFIRM:http://wiki.vtiger.com/index.php/Vtiger_CRM_5.0.4_-_Release_Notes
Reference: BID:27228
Reference: URL:http://www.securityfocus.com/bid/27228
Reference: OSVDB:40218
Reference: URL:http://www.osvdb.org/40218
Reference: SECUNIA:28370
Reference: URL:http://secunia.com/advisories/28370

Vtiger CRM before 5.0.4 stores sensitive information under the web
root with insufficient access control, which allows remote attackers
to read mail merge templates via a direct request to the
wordtemplatedownload directory.

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux