HomePentest-Tools.com Logo

BrowserCRM Multiple SQL Injection and XSS Vulnerabilities CVE-2011-5213CVE-2011-5214

Severity
Not available
CVSSv3 Score
Not available
Vulnerability description

BrowserCRM is prone to multiple sql injection and cross site scripting vulnerabilities.

Risk description

Multiple flaws are due to inputs passed via - The PATH_INFO to index.php, modules/admin/admin_module_index.php, or modules/calendar/customise_calendar_times.php, login[] parameter to index.php or pub/clients.php and framed parameter to licence/index.php or licence/view.php is not properly verified before it is returned to the user. - The login[username] parameter to index.php, parent_id parameter to modules/Documents/version_list.php or contact_id parameter to modules/Documents/index.php is not properly sanitized before being used in a SQL query. Successful exploitation will allow remote attackers to execute arbitrary web script or HTML in a users browser session in the context of an affected site and manipulate SQL queries by injecting arbitrary SQL code.

Recommendation

No known solution was made available for at least one year since the disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one.

Codename
Not available
Detectable with
Network Scanner
Scan engine
OpenVAS
Exploitable with Sniper
No
CVE Published
Oct 25, 2012
Detection added at
Software Type
Not available
Vendor
Not available
Product
Not available