Cyber Resilience

CVE-2023-46304

HighPublic PoC

Published: 30 April 2024

Published
30 April 2024
Modified
22 April 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2076 95.7th percentile
Risk Priority 29 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-46304 is a high-severity Injection (CWE-74) vulnerability in Vtiger Vtiger Crm. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 4.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2023-46304 affects Vtiger CRM version 7.5.0 in the file modules/Users/models/Module.php. The flaw stems from an unprotected endpoint that permits writing arbitrary PHP code into the config.inc.php configuration file, which is loaded and executed on every page request. The issue is tracked under CWE-74 and carries a CVSS 3.1 score of 8.1.

A remote authenticated attacker can exploit the endpoint to inject and persist PHP payloads without needing additional user interaction or special network positioning beyond standard HTTP access. Successful exploitation grants the attacker the ability to execute arbitrary code in the context of the web application on subsequent page loads, potentially leading to full system compromise.

Public references include a vendor commit that addresses the unprotected write path and a proof-of-concept repository demonstrating the injection technique. The associated EPSS score has remained flat at 0.2076 since disclosure, indicating no observed surge in exploitation interest.

EU & UK References

Vulnerability details

modules/Users/models/Module.php in Vtiger CRM 7.5.0 allows a remote authenticated attacker to run arbitrary PHP code because an unprotected endpoint allows them to write this code to the config.inc.php file (executed on every page load).

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vtiger
vtiger crm
7.5.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

References