Date: Mon, 4 Aug 2008 14:49:11 -0400 (EDT) From: "Steven M. Christey" <coley@...us.mitre.org> To: oss-security@...ts.openwall.com Subject: Re: CVE request: vtigercrm < 5.0.4 ====================================================== Name: CVE-2008-3458 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3458 Reference: MISC:http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/11811 Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=567189 Reference: CONFIRM:http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2107 Reference: CONFIRM:http://wiki.vtiger.com/index.php/Vtiger_CRM_5.0.4_-_Release_Notes Reference: BID:27228 Reference: URL:http://www.securityfocus.com/bid/27228 Reference: OSVDB:40218 Reference: URL:http://www.osvdb.org/40218 Reference: SECUNIA:28370 Reference: URL:http://secunia.com/advisories/28370 Vtiger CRM before 5.0.4 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read mail merge templates via a direct request to the wordtemplatedownload directory.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.