Vulnerability News
sysops

A comprehensive security analysis of vtenext CRM version 25.02 has revealed multiple critical vulnerabilities that allow unauthenticated attackers to bypass authentication mechanisms through three distinct attack vectors, ultimately leading to remote code execution on target systems. 

The Italian CRM solution, utilized by numerous small and medium enterprises across Italy, faces significant security exposure despite attempted vendor notifications.

Key Takeaways1. Three authentication bypasses let attackers impersonate any user.2. Post‐login, LFI and module‐upload flaws enable remote code execution.3. Only the password‐reset issue was silently patched; others still need fixes.

XSS and Session Hijacking

Sicuranext reports that the first attack vector exploits a vulnerability chain combining reflected Cross-Site Scripting (XSS), CSRF token bypass, and session cookie disclosure. 

A critical flaw in modules/Home/HomeWidgetBlockList.php where the widgetId parameter undergoes insufficient sanitization before reflection in server responses.

The vulnerability manifests when JSON responses containing malicious payloads are delivered with Content-Type: text/html headers instead of the secure application/json format, enabling browser execution of embedded JavaScript code. 

Attackers can inject malicious scripts using crafted requests:

The exploitation becomes particularly dangerous when combined with a CSRF token validation bypass achieved through HTTP method tampering. 

The application’s reliance on the $_REQUEST superglobal allows attackers to convert POST requests to GET requests, completely circumventing CSRF protection mechanisms in include/utils/VteCsrf.php.

This design flaw enables attackers to exploit XSS vulnerabilities without requiring valid CSRF tokens, significantly lowering the attack complexity.

SQL Injection Vulnerability

The second authentication bypass vector leverages SQL injection vulnerabilities in modules/Fax/EditView.php to extract sensitive user credentials and authentication tokens. 

The vulnerable code constructs database queries by directly concatenating user-controlled input:

Although prepared statements are utilized, the $fieldname parameter remains unsanitized, allowing attackers to specify arbitrary database columns for extraction. 

More critically, attackers can leverage subquery injection to extract password reset tokens.

These extracted tokens enable immediate password reset operations without user interaction, providing complete account takeover capabilities.

Direct Password Reset Vulnerability

The most severe vulnerability, designated as the third attack vector, involves an arbitrary password reset flaw in hub/rpwd.php. 

This endpoint exposes a change_password action that lacks adequate security validation, permitting password modification for any user account using only the target username.

The vulnerable code path in modules/Users/RecoverPwd.php processes password change requests without proper authentication verification:

The skipOldPwdCheck parameter set to true completely bypasses password verification, enabling attackers to reset any user’s credentials through a single HTTP request. This vulnerability was patched in version 25.02.1 following the research disclosure.

Remote Code Execution Flaw

Once authentication bypass is achieved, attackers can escalate to remote code execution through various techniques. 

The application contains multiple Local File Inclusion (LFI) vulnerabilities that accept user input in file inclusion functions without proper sanitization.

Critical LFI vulnerabilities exist in:

modules/Settings/LayoutBlockListUtils.php

modules/Calendar/ActivityAjax.php

modules/Calendar/wdCalendar.php

Path traversal sequences (../) enable arbitrary file inclusion, with the limitation that target files must possess .php extensions. 

While upload restrictions prevent direct PHP file uploads, researchers demonstrated RCE exploitation through pearcmd.php gadgets when the PEAR framework is present on target systems.

Additionally, vtenext administrators can upload custom modules through the ModuleManager interface, providing a direct pathway to RCE. 

Organizations utilizing vtenext CRM should immediately upgrade to version 25.02.1 or later and implement additional security measures to mitigate these critical vulnerabilities. 

The vendor’s delayed response to responsible disclosure attempts highlights the importance of proactive security monitoring and rapid patch deployment in enterprise environments.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.

Related Posts

SSHAmble is a powerful open-source reconnaissance tool designed to identify and exploit vulnerabilities in SSH implementations across internet-facing systems.  Presented…

Security researchers have uncovered critical vulnerabilities in Radware’s Cloud Web Application Firewall (WAF) that could allow attackers to completely bypass…

A recent cybersecurity report has identified critical vulnerabilities in Palo Alto Networks firewall devices that could enable attackers to bypass…