[Vtigercrm-developers] Vulnerability vtiger v6.1
Alan Lord
alanslists at gmail.com
Tue Feb 26 14:00:31 GMT 2019
Have you tried to contact vtiger directly?
Normally if a vulnerability is found that is the preferred method of
initial reporting, rather than telling the whole world via a mailing
list ;-)
Alan
On 26/02/2019 13:42, nab wrote:
> An intrusion test revealed a vulnerability on the vtiger version 6.1 (i
> think, even in the version 7) when a user other than an administrator
> accesses his preferences through the address:
> "https://yourwebsiteaddress/index.php?module=Users&view=PreferenceDetail&record=122".
> A user who only has read access can use this URL and add into it the
> "roleid" parameter so that he can change his own role with the administrator
> role with all privileges.
> Has anyone ever heard of such a vulnerability?
> how to avoid this vulnerability?
> Nb
>
>
>
> --
> Sent from: http://vtiger-crm.2324883.n4.nabble.com/vtigercrm-developers-f4.html
> _______________________________________________
> http://www.vtiger.com/
>
More information about the vtigercrm-developers
mailing list