CVE-2023-46304
Published: 30 April 2024
Summary
CVE-2023-46304 is a high-severity Injection (CWE-74) vulnerability in Vtiger Vtiger Crm. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 4.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-46304 affects Vtiger CRM version 7.5.0 in the file modules/Users/models/Module.php. The flaw stems from an unprotected endpoint that permits writing arbitrary PHP code into the config.inc.php configuration file, which is loaded and executed on every page request. The issue is tracked under CWE-74 and carries a CVSS 3.1 score of 8.1.
A remote authenticated attacker can exploit the endpoint to inject and persist PHP payloads without needing additional user interaction or special network positioning beyond standard HTTP access. Successful exploitation grants the attacker the ability to execute arbitrary code in the context of the web application on subsequent page loads, potentially leading to full system compromise.
Public references include a vendor commit that addresses the unprotected write path and a proof-of-concept repository demonstrating the injection technique. The associated EPSS score has remained flat at 0.2076 since disclosure, indicating no observed surge in exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-50526
Vulnerability details
modules/Users/models/Module.php in Vtiger CRM 7.5.0 allows a remote authenticated attacker to run arbitrary PHP code because an unprotected endpoint allows them to write this code to the config.inc.php file (executed on every page load).
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.