Date: Wed, 5 Oct 2011 12:37:10 +0200 From: Tomas Hoger <thoger@...hat.com> To: oss-security@...ts.openwall.com Cc: lists@...g.net Subject: Re: CVE Request: vTiger CRM 5.2.x <= Remote Code Execution Vulnerability On Wed, 5 Oct 2011 18:07:59 +0800 YGN Ethical Hacker Group wrote: > vTiger CRM 5.2.x <= Remote Code Execution Vulnerability ... > vTiger uses the vulnerable version of phpmailer class file located at > /cron/class.phpmailer.php . ... > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3215 As you point out, application embeds a vulnerable copy of some other application, and the issue already has CVE assigned. In such cases, phpmailer CVE should be used in the vtiger updates (if any). > It was launched as a fork of version 1.0 of the SugarCRM project > launched on December 31st, 2004. Wonder if any of the other reported issues are really sugarcrm issue that did not get fix in vtiger. -- Tomas Hoger / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.