Published: 2023/09/05  Last Updated: 2023/09/05

Information from Thinkingreed Inc.

Vulnerability ID:JVN#78113802
Title:Multiple vulnerabilities in F-RevoCRM
Status:Vulnerable

This is a statement from the vendor itself with no modification by JPCERT/CC.

Multiple vulnerabilities have been discovered in F-RevoCRM.

Applications:
Vulnerability 1:
F-RevoCRM versions 7.3.7 and 7.3.8

Vulnerability 2:
All versions within the 7.3 series of F-RevoCRM up to version 7.3.8

Summary:
Vulnerability 1:
Arbitrary command execution possible on the operating system where F-RevoCRM is running.
Vulnerability 2:
Cross-site scripting (malicious script execution) possible within F-RevoCRM.

Impact:
Vulnerability 1:
This vulnerability could lead to severe damage to the operating system and potential data leakage.

Vulnerability 2:
This vulnerability could lead to information exploitation through the injection of unintended scripts.
Below are the impact levels based on CVSS v3 criteria:

Severity: Critical (Urgent)
Vulnerability 1:
CVSS v3 Base Score: 9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H:9.8

Vulnerability 2:
Not applicable

Severity: High
Vulnerability 1:
Not applicable

Vulnerability 2:
Not applicable

Severity: Medium
Vulnerability 1:
Not applicable

Vulnerability 2:
CVSS v3 Base Score: 5.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N:5.4

Severity: Low
Vulnerability 1:
Not applicable

Vulnerability 2:
Not applicable

Workaround:
Vulnerability 1:
Please remove the following directory: "docker"

Vulnerability 2:
This vulnerability is only effective when logged into F-RevoCRM. To mitigate, ensure you are logged out of F-RevoCRM when accessing untrusted external sites, or use a different browser. Additionally, employing a Proxy server to restrict access to inappropriate sites can help mitigate the impact.

Measures:
Please update to F-RevoCRM version 7.3.9 to address these vulnerabilities.
The mentioned vulnerabilities have been patched in this version.
For instructions on version upgrade and patch application, please refer to the official F-RevoCRM website or the README.md on GitHub.

Furthermore, for customers under our support contract at ThinkingLead, individual patch applications have already been completed.
We hope this provides you with peace of mind.