Improper input validation in Vtiger Vtiger_crm

CVE-2014-2269

modules/Users/ForgotPassword.php in vTiger 6.0 before Security Patch 2 allows remote attackers to reset the password for arbitrary users via a request containing the username, password, and confirmPassword parameters.

Vulnerability class: Drupalgeddon 2 (CVE-2018-7600)

EPSS: 0.036 (87.9th percentile) — read the EPSS interpretation.

Affected products

Vtiger Vtiger_crm — versions 6.0.0
N/a — versions n/a

Weakness classification (CWE)

CWE-20 — Improper Input Validation

References

66758 (Exploit, vdb-entry, x_refsource_BID)
[Vtigercrm-developers] 20140316 IMP: forgot password and re-installation security fix (mailing-list, x_refsource_MLIST, Patch)