Full Report
VteNext is a CRM in Italy. Upon initially searching through the PHP codebase of the demo release with semgrep default PHP rules, they find some interesting sinks. The first issue they find is an XSS vulnerability resulting from poor sanitization of user-controlled JSON input. Interestingly enough, this works because the Content-Type of the response is text/html. So, making a call directly to this endpoint leads to reflected XSS. This is in a POST request at the moment, which is unexploitable. The application supports various HTTP methods. The CSRF token checks are only done on POST requests. The processing will be done on an endpoint regardless of the verb. By changing the verb to GET, it creates a CSRF token bypass. If you combine one and two, an XSS can be created from a GET request by a user now! Sometimes, small things can be chained together to make exploits worse. Session cookies are secured with the HTTPOnly cookie flags, making them inaccessible via XSS. The Touch module exposes the PHPSESSID ID in the page - this appears just to be some JSON request data. In other locations, phpinfo() can be used to leak session cookies as well. The final piece to the puzzle was a set of SQL injections. Although they are using adb->pquery() to execute the query, the user's input is directly inserted into the statement. It seems like they were trying to prevent SQL injection, but misunderstood it. In this case, the $_REQUEST['fieldname'] can be used to read any field from any table. They use this primitive to steal password reset tokens from the DB. They found a password reset function that just didn't check the user's previous password. This is because a parameter skipOldPwdCheck is used on function calls, but it's never set. Overall, a good set of bugs!
Analysis Summary
# Vulnerability: Chained Flaws Leading to Authentication Bypass and Potential RCE in VteNext
## CVE Details
- CVE ID: Awaiting official assignment (CVE Request 1879483 submitted to MITRE by the researcher).
- CVSS Score: **Critical** (Implied, based on RCE/Auth Bypass impact, exact score TBD upon CVE assignment).
- CWE: Multiple, including Improper Input Validation (XSS/SQLi precursors) and Broken Access Control (Auth Bypass).
## Affected Systems
- Products: VTENEXT CRM
- Versions: 25.02.01 and below, including testing on 20.04, 24.02, 25.02, and 25.02.1.
- Configurations: Both On-Premises and Cloud deployments.
## Vulnerability Description
The research identified a combination of several security flaws that, when chained, could lead to severe impacts, including Remote Code Execution (RCE) and Authentication Bypass. Key findings include:
1. **Reflected Cross-Site Scripting (XSS):** Found in a demo release, resulting from poor sanitization of user-controlled JSON input. This XSS was successfully made exploitable via a **GET request** by bypassing CSRF token checks (which were only enforced on POST requests) and leveraging the server's `text/html` `Content-Type` response. Session cookies were protected by the `HTTPOnly` flag, but PHPSESSID was exposed in JSON response data within the "Touch" module, and sensitive information could also be leaked via `phpinfo()`.
2. **SQL Injection (SQLi):** Despite using `adb->pquery()`, user input from `$_REQUEST['fieldname']` was directly concatenated or inserted unsafely into queries. This primitive allowed reading **any field from any table**, which was leveraged to steal password reset tokens.
3. **Arbitrary Password Reset:** A password reset function failed to validate the user's previous password because the controlling parameter (`skipOldPwdCheck`) was never set/checked, allowing attackers to reset passwords using stolen tokens or potentially just by leveraging application logic flaws in combination with other vectors.
These flaws, when chained, allowed unauthenticated attackers to bypass authentication and potentially achieve RCE.
## Exploitation
- Status: **PoC available** (For components of the chain, though full RCE chain technical details were later reduced by the researcher). Patches were released for individual components starting July 24th, 2025.
- Complexity: **Low** to **Medium** (Depending on the vector chained). The ability to bypass CSRF via HTTP verb change simplifies exploitation.
- Attack Vector: **Network** (Remote via crafted HTTP requests).
## Impact
- Confidentiality: **High** (Ability to steal database data, including password reset tokens, and potentially session IDs).
- Integrity: **High** (Ability to perform authenticated actions, reset passwords, and potentially execute arbitrary code).
- Availability: **Medium** (Service disruption possible, but the primary impact is Confidentiality/Integrity).
## Remediation
### Patches
- **v25.02.1:** Released ~$July 24th, 2025$ to patch the Arbitrary Password Reset vulnerability.
- **v25.02.2:** Released ~$August/September 2025$ to patch the remaining vulnerabilities (including XSS and SQLi vectors).
- **Recommendation:** Update to **v25.02.2** or later.
### Workarounds
- Implement strict Web Application Firewall (WAF) rules to block unusual GET requests targeting endpoints usually reserved for POST operations that handle sensitive logic or input.
- Thoroughly review and sanitize all user input before insertion into database queries or reflection into HTML responses.
## Detection
- **Indicators of Compromise (IoCs):**
* Unusual GET requests directed at endpoints expected to process JSON or perform database read operations using parameters like `fieldname`.
* Database queries exhibiting obvious concatenation vulnerabilities (if the SQLi vector is still present in older instances).
* Successful password resets initiated without the user's prior knowledge.
- **Detection Methods and Tools:**
* Static Application Security Testing (SAST) tools like Semgrep, utilizing updated PHP rules, should flag insecure data flow to sinks related to SQL execution and HTML output.
* Dynamic Application Security Testing (DAST) monitoring for unexpected HTTP methods accessing internal processing endpoints.
## References
- Vendor Advisory (Implied by patch release): vtenext version 25.02.2
- Research Blog: hxxps://blog.sicuranext.com/vtenext-25-02-a-three-way-path-to-rce/ (Defanged to comply with instructions)