CVE-2007-3598
published 2007-07-06CVE-2007-3598: index.php in vtiger CRM before 5.0.3 allows remote authenticated users to obtain all users' names and e-mail addresses, and possibly change user settings, via…
PriorityP417medium5.5CVSS 2.0
AVNACLAuSCPIPAN
EPSS
0.97%
57.3th percentile
index.php in vtiger CRM before 5.0.3 allows remote authenticated users to obtain all users' names and e-mail addresses, and possibly change user settings, via a modified record parameter in a DetailView action to the Users module. NOTE: the vendor disputes the changing of settings, reporting that the attack vector results in a "You are not permitted to execute this Operation" error message in a 5.0.3 demo.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vtiger | vtiger_crm | <= 5.0.2 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://forums.vtiger.com/viewtopic.php?p=38609http://trac.vtiger.com/cgi-bin/trac.cgi/report/9http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2664http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2985http://forums.vtiger.com/viewtopic.php?p=38609http://trac.vtiger.com/cgi-bin/trac.cgi/report/9http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2664http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2985
2007-07-06
Published