Path Traversal in Vtiger Vtiger_crm

CVE-2014-1222

Directory traversal vulnerability in kcfinder/browse.php in Vtiger CRM before 6.0.0 Security patch 1 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter in a download action. NOTE: it is like…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.098 (93.1th percentile) — read the EPSS interpretation.

Affected products

Vtiger Vtiger_crm
N/a — versions n/a

Weakness classification (CWE)

CWE-22 — Path Traversal

References

cve@mitre.org (Exploit, x_refsource_MISC)
20140312 CVE-2014-1222 - Local File Inclusion in Vtiger CRM (mailing-list, x_refsource_BUGTRAQ)
cve@mitre.org (x_refsource_CONFIRM, Patch)