vTiger CRM allows an authenticated user to upload files to embed within documents. Due to insufficient privileges on the 'files' upload folder, an attacker can upload a PHP script and execute arbitrary PHP code remotely. This Metasploit module was tested against vTiger CRM v5.4.0 and v5.3.0.
bbcd3689cbd9914d5739cb0af4a9dcca7c841307f2ee05af37a9fcc839aed4a2