{
  "verdict": "confirmed_alternate_trigger",
  "summary": "Two distinct alternate triggers for the same web-root extraction vulnerability were confirmed at runtime on Vtiger CRM 8.4.0: a language-pack ZIP import and a layout-pack ZIP import that bypasses the layout path's PHP content filter with the short-echo tag <?=. A true bypass of a released vendor patch could not be demonstrated because no patch is available.",
  "confirmed_variants": [
    {
      "name": "language-pack-import-rce",
      "description": "Upload a language-pack ZIP through Module Manager Import; the PHP payload is extracted to languages/<prefix>/ and executed directly via HTTP.",
      "entrypoint": "index.php?module=ModuleManager&parent=Settings&view=ModuleImport&mode=importUserModuleStep1",
      "sink": "vtlib/Vtiger/LanguageImport.php::import_Language()",
      "status": "confirmed",
      "evidence": "bundle/logs/vuln_variant_reproduction_steps.log"
    },
    {
      "name": "layout-import-php-filter-bypass",
      "description": "Upload a layout-pack ZIP through Module Manager Import; the PHP payload uses <?= to bypass the regex in Vtiger_LayoutImport and is extracted to layouts/<name>/skins/<name>/ and executed directly via HTTP.",
      "entrypoint": "index.php?module=ModuleManager&parent=Settings&view=ModuleImport&mode=importUserModuleStep1",
      "sink": "vtlib/Vtiger/LayoutImport.php::import_Layout()",
      "status": "confirmed",
      "evidence": "bundle/logs/vuln_variant_reproduction_steps.log"
    }
  ],
  "bypass_of_fix": false,
  "fixed_version_tested": false,
  "fixed_version_unavailable_reason": "The CVE/advisory lists patched versions as unknown and the public disclosure (Jiva Security, 2026-07-06) confirms Vtiger did not release a patch within the 90-day disclosure window. No later release tarball was available to download and test.",
  "blocking_mitigation": "No vendor patch is available. The vulnerability is only exploitable by an authenticated administrator; restricting admin access and monitoring modules/, languages/, and layouts/ for unexpected PHP files is the only available mitigation until a fix is released.",
  "recommendations_for_fix": [
    "Add a uniform pre-extraction validation layer in modules/Settings/ModuleManager/actions/Basic.php::importUserModuleStep3 for all package types.",
    "Maintain a per-type allowlist of expected file extensions and relative paths; reject arbitrary PHP files.",
    "Replace the bypassable regex in vtlib/Vtiger/LayoutImport.php with a robust PHP detection (e.g., token_get_all) or reject PHP files entirely in layout packs.",
    "Fix Vtiger_Functions::verifyClaimedMIME to compare MIME types against MIME allowlists, not extension strings.",
    "Stage user-uploaded archives outside the web root and serve assets through an authenticated, non-executable handler."
  ],
  "tested_versions": [
    {
      "product": "Vtiger CRM",
      "version": "8.4.0",
      "source": "SourceForge tarball vtigercrm8.4.0.tar.gz",
      "md5": "360f394f5f7ffabc89eaca05b18523f9",
      "result": "vulnerable"
    }
  ],
  "artifact_refs": {
    "repro_steps": "bundle/vuln_variant/reproduction_steps.sh",
    "log": "bundle/logs/vuln_variant_reproduction_steps.log",
    "proof": "bundle/vuln_variant/proof.log",
    "rca": "bundle/vuln_variant/rca_report.md",
    "patch_analysis": "bundle/vuln_variant/patch_analysis.md"
  }
}
