Incorrect Default Permissions
CVE-2019-19202
Summary
In Vtiger 7.x before 7.2.0, the My Preferences saving functionality allows a user without administrative privileges to change his own role by adding roleid=H2 to a POST request.
- LOW
- NETWORK
- SINGLE
- PARTIAL
- PARTIAL
- PARTIAL
CWE-276 - Incorrect Default Permissions
During installation, installed file permissions are set to allow anyone to modify those files.
References
Advisory Timeline
- Published
