[Vtigercrm-developers] Vulnerability vtiger v6.1
Alan Lord
alanslists at gmail.com
Tue Feb 26 14:05:45 GMT 2019
Your vulnerability doesn't appear to work in vtiger 6.5.0 - perhaps you
should upgrade?
6.1.0 was released in September 2014...
Al
On 26/02/2019 14:00, Alan Lord wrote:
> Have you tried to contact vtiger directly?
>
> Normally if a vulnerability is found that is the preferred method of
> initial reporting, rather than telling the whole world via a mailing
> list ;-)
>
>
> Alan
>
>
> On 26/02/2019 13:42, nab wrote:
>> An intrusion test revealed a vulnerability on the vtiger version 6.1 (i
>> think, even in the version 7) when a user other than an administrator
>> accesses his preferences through the address:
>> "https://yourwebsiteaddress/index.php?module=Users&view=PreferenceDetail&record=122".
>>
>> A user who only has read access can use this URL and add into it the
>> "roleid" parameter so that he can change his own role with the
>> administrator
>> role with all privileges.
>> Has anyone ever heard of such a vulnerability?
>> how to avoid this vulnerability?
>> Nb
>>
>>
>>
>> --
>> Sent from:
>> http://vtiger-crm.2324883.n4.nabble.com/vtigercrm-developers-f4.html
>> _______________________________________________
>> http://www.vtiger.com/
>>
>
>
> _______________________________________________
> http://www.vtiger.com/
>
More information about the vtigercrm-developers
mailing list