Privilege Escalation in Vtiger 7.x before 7.2.0

Privilege Escalation in Vtiger 7.x before 7.2.0

CVE-2019-19202 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

In Vtiger 7.x before 7.2.0, the My Preferences saving functionality allows a user without administrative privileges to change his own role by adding roleid=H2 to a POST request.

Learn more about our User Device Pen Test.