Vulnerability CVE-2019-19202
Published: 2019-11-21   Modified: 2019-11-24

Description:
In Vtiger 7.x before 7.2.0, the My Preferences saving functionality allows a user without administrative privileges to change his own role by adding roleid=H2 to a POST request.

Type:

CWE-276

 (Incorrect Default Permissions)

CVSS2 => (AV:N/AC:L/Au:S/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.5/10
6.4/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Vtiger -> Vtiger crm 

 References:
http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-April/037964.html
https://code.vtiger.com/vtiger/vtigercrm/issues/1126
Copyright 2024, cxsecurity.com

 

Back to Top