Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20111005123710.3def94b0@redhat.com>
Date: Wed, 5 Oct 2011 12:37:10 +0200
From: Tomas Hoger <thoger@...hat.com>
To: oss-security@...ts.openwall.com
Cc: lists@...g.net
Subject: Re: CVE Request: vTiger CRM 5.2.x <= Remote Code
 Execution Vulnerability

On Wed, 5 Oct 2011 18:07:59 +0800 YGN Ethical Hacker Group wrote:

> vTiger CRM 5.2.x <= Remote Code Execution Vulnerability

...

> vTiger uses the vulnerable version of phpmailer class file located at
> /cron/class.phpmailer.php .

...

> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3215

As you point out, application embeds a vulnerable copy of some other
application, and the issue already has CVE assigned.  In such cases,
phpmailer CVE should be used in the vtiger updates (if any).

> It was launched as a fork of version 1.0 of the SugarCRM project
> launched on December 31st, 2004.

Wonder if any of the other reported issues are really sugarcrm issue
that did not get fix in vtiger.

-- 
Tomas Hoger / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.