{
  "variant_id": "GHSA-jf2j-jhvf-rc56-lang-layout",
  "created_at": "2026-07-07T23:00:00Z",
  "variant_summary": "Vtiger CRM 8.4.0 Module Manager Import also allows RCE via language-pack and layout-pack ZIPs, sharing the same web-root extraction root cause; the layout path has a bypassable PHP content filter.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "Vtiger CRM",
  "submitted_target": {
    "target_kind": "release",
    "version": "8.4.0",
    "ref": "vtigercrm8.4.0.tar.gz",
    "display": "Vtiger CRM 8.4.0 SourceForge release tarball (GHSA-jf2j-jhvf-rc56)"
  },
  "variant_target": {
    "target_kind": "release",
    "version": "8.4.0",
    "ref": "vtigercrm8.4.0.tar.gz",
    "commit_sha": "360f394f5f7ffabc89eaca05b18523f9",
    "display": "Vtiger CRM 8.4.0 SourceForge release tarball used for variant validation (tarball MD5)"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "high",
  "claimed_surface": "Module Manager module import (ZIP with arbitrary PHP in modules/)",
  "validated_surface": "Module Manager Import endpoint accepting language-pack and layout-pack ZIPs, extracting attacker-controlled PHP into languages/ and layouts/",
  "required_entrypoint_kind": "endpoint",
  "required_entrypoint_detail": "Authenticated admin HTTP POST to index.php?module=ModuleManager&parent=Settings&view=ModuleImport&mode=importUserModuleStep1 followed by importUserModuleStep2 and importUserModuleStep3",
  "attacker_controlled_input": "ZIP archive uploaded via the Module Manager Import file upload (moduleZip field), containing a manifest.xml and a PHP payload file",
  "trigger_path": "ModuleManager Import -> Basic.php::importUserModuleStep3 -> Vtiger_Language::import() / Vtiger_Layout::import() -> Vtiger_LanguageImport::import_Language() / Vtiger_LayoutImport::import_Layout() -> extract to web root -> direct HTTP access to the PHP file",
  "observed_impact_class": "code_execution",
  "exploitability_confidence": "high",
  "evidence_scope": "runtime",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "claim_block_reason": "No vendor patch is available; variants are confirmed alternate triggers on the vulnerable 8.4.0 release, not a bypass of a released fix.",
  "file_path": "modules/Settings/ModuleManager/actions/Basic.php",
  "line_start": 40,
  "line_end": 64,
  "secondary_anchors": [
    {
      "file_path": "vtlib/Vtiger/LanguageImport.php",
      "line_start": 60,
      "line_end": 153
    },
    {
      "file_path": "vtlib/Vtiger/LayoutImport.php",
      "line_start": 70,
      "line_end": 120
    },
    {
      "file_path": "vtlib/Vtiger/PackageImport.php",
      "line_start": 180,
      "line_end": 275
    }
  ],
  "review_scope_paths": [
    "modules/Settings/ModuleManager/",
    "vtlib/Vtiger/LanguageImport.php",
    "vtlib/Vtiger/LayoutImport.php",
    "vtlib/Vtiger/PackageImport.php",
    "vtlib/Vtiger/Functions.php"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "repro_log": "bundle/logs/vuln_variant_reproduction_steps.log",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "reproducer": ["bundle/vuln_variant/reproduction_steps.sh"]
  }
}
