Full title: vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload Vulnerability 
Category: remote exploits
Platform: php
vTiger CRM allows an user to bypass authentication when requesting SOAP services. In addition, arbitrary file upload is possible through the AddEmailAttachment SOAP service. By combining both vulnerabilities an attacker can upload and execute PHP code. This Metasploit module has been tested successfully on vTiger CRM v5.4.0 over Ubuntu 10.04 and Windows 2003 SP2.

# 0day.today @ http://0day.today/