Incorrect Default Permissions
CVE-2019-19202
Summary
In Vtiger 7.x before 7.2.0, the My Preferences saving functionality allows a user without administrative privileges to change his own role by adding roleid=H2 to a POST request.
- LOW
- NETWORK
- HIGH
- UNCHANGED
- NONE
- LOW
- HIGH
- HIGH
CWE-276 - Incorrect Default Permissions
During installation, installed file permissions are set to allow anyone to modify those files.
References
Advisory Timeline
- Published