[Vtigercrm-developers] Vulnerability vtiger v6.1
nab
nabbenn at yahoo.ca
Tue Feb 26 13:42:20 GMT 2019
An intrusion test revealed a vulnerability on the vtiger version 6.1 (i
think, even in the version 7) when a user other than an administrator
accesses his preferences through the address:
"https://yourwebsiteaddress/index.php?module=Users&view=PreferenceDetail&record=122".
A user who only has read access can use this URL and add into it the
"roleid" parameter so that he can change his own role with the administrator
role with all privileges.
Has anyone ever heard of such a vulnerability?
how to avoid this vulnerability?
Nb
--
Sent from: http://vtiger-crm.2324883.n4.nabble.com/vtigercrm-developers-f4.html
More information about the vtigercrm-developers
mailing list