A complete safety evaluation of vtenext CRM model 25.02 has revealed a number of important vulnerabilities that enable unauthenticated attackers to bypass authentication mechanisms by three distinct assault vectors, in the end resulting in distant code execution on course programs.
The Italian CRM answer, utilized by quite a few small and medium enterprises throughout Italy, faces important safety publicity regardless of tried vendor notifications.
Key Takeaways1. Three authentication bypasses let attackers impersonate any person.2. Put up‐login, LFI and module‐add flaws allow distant code execution.3. Solely the password‐reset subject was silently patched; others nonetheless want fixes.
XSS and Session Hijacking
Sicuranext studies that the primary assault vector exploits a vulnerability chain combining mirrored Cross-Web site Scripting (XSS), CSRF token bypass, and session cookie disclosure.
A important flaw in modules/Dwelling/HomeWidgetBlockList.php the place the widgetId parameter undergoes inadequate sanitization earlier than reflection in server responses.
The vulnerability manifests when JSON responses containing malicious payloads are delivered with Content material-Sort: textual content/html headers as a substitute of the safe utility/json format, enabling browser execution of embedded JavaScript code.
Attackers can inject malicious scripts utilizing crafted requests:
The exploitation turns into notably harmful when mixed with a CSRF token validation bypass achieved by HTTP technique tampering.
The appliance’s reliance on the $_REQUEST superglobal permits attackers to transform POST requests to GET requests, fully circumventing CSRF safety mechanisms in embody/utils/VteCsrf.php.
This design flaw permits attackers to take advantage of XSS vulnerabilities with out requiring legitimate CSRF tokens, considerably reducing the assault complexity.
SQL Injection Vulnerability
The second authentication bypass vector leverages SQL injection vulnerabilities in modules/Fax/EditView.php to extract delicate person credentials and authentication tokens.
The susceptible code constructs database queries by straight concatenating user-controlled enter:
Though ready statements are utilized, the $fieldname parameter stays unsanitized, permitting attackers to specify arbitrary database columns for extraction.
Extra critically, attackers can leverage subquery injection to extract password reset tokens.
These extracted tokens allow instant password reset operations with out person interplay, offering full account takeover capabilities.
Direct Password Reset Vulnerability
Essentially the most extreme vulnerability, designated because the third assault vector, entails an arbitrary password reset flaw in hub/rpwd.php.
This endpoint exposes a change_password motion that lacks sufficient safety validation, allowing password modification for any person account utilizing solely the goal username.
The susceptible code path in modules/Customers/RecoverPwd.php processes password change requests with out correct authentication verification:
The skipOldPwdCheck parameter set to true fully bypasses password verification, enabling attackers to reset any person’s credentials by a single HTTP request. This vulnerability was patched in model 25.02.1 following the analysis disclosure.
Distant Code Execution Flaw
As soon as authentication bypass is achieved, attackers can escalate to distant code execution by numerous methods.
The appliance comprises a number of Native File Inclusion (LFI) vulnerabilities that settle for person enter in file inclusion features with out correct sanitization.
Crucial LFI vulnerabilities exist in:
modules/Settings/LayoutBlockListUtils.php
modules/Calendar/ActivityAjax.php
modules/Calendar/wdCalendar.php
Path traversal sequences (../) allow arbitrary file inclusion, with the limitation that concentrate on recordsdata should possess .php extensions.
Whereas add restrictions stop direct PHP file uploads, researchers demonstrated RCE exploitation by pearcmd.php devices when the PEAR framework is current on course programs.
Moreover, vtenext directors can add customized modules by the ModuleManager interface, offering a direct pathway to RCE.
Organizations using vtenext CRM ought to instantly improve to model 25.02.1 or later and implement extra safety measures to mitigate these important vulnerabilities.
The seller’s delayed response to accountable disclosure makes an attempt highlights the significance of proactive safety monitoring and fast patch deployment in enterprise environments.
Discover this Story Fascinating! Comply with us on LinkedIn and X to Get Extra Prompt Updates.
