Permissions, Privileges, and Access Controls in Vtiger CRM - CVE-2011-4679

 

Permissions, Privileges, and Access Controls in Vtiger CRM - CVE-2011-4679

Published: December 7, 2011 / Updated: August 11, 2020


Vulnerability identifier: #VU44470
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2011-4679
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Vtiger
Affected software:
Vtiger CRM

Detailed vulnerability description

The vulnerability allows a remote #AU# to manipulate data.

vtiger CRM before 5.3.0 does not properly recognize the disabled status of a field in the Leads module, which allows remote authenticated users to bypass intended access restrictions by reading a previously created report.


How to mitigate CVE-2011-4679

Install update from vendor's website.

Sources