Vulnerabilities > CVE-2007-3598 - Unspecified vulnerability in Vtiger CRM
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
index.php in vtiger CRM before 5.0.3 allows remote authenticated users to obtain all users' names and e-mail addresses, and possibly change user settings, via a modified record parameter in a DetailView action to the Users module. NOTE: the vendor disputes the changing of settings, reporting that the attack vector results in a "You are not permitted to execute this Operation" error message in a 5.0.3 demo.
Vulnerable Configurations
References
- http://forums.vtiger.com/viewtopic.php?p=38609
- http://forums.vtiger.com/viewtopic.php?p=38609
- http://trac.vtiger.com/cgi-bin/trac.cgi/report/9
- http://trac.vtiger.com/cgi-bin/trac.cgi/report/9
- http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2664
- http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2664
- http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2985
- http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2985