Details of VAR-201911-1354

ID

VAR-201911-1354

CVE

CVE-2019-19202

TITLE

Vtiger Inappropriate default permission vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-012577

DESCRIPTION

In Vtiger 7.x before 7.2.0, the My Preferences saving functionality allows a user without administrative privileges to change his own role by adding roleid=H2 to a POST request. Vtiger Contains a vulnerability with inappropriate default permissions.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information. Vtiger CRM 7.x prior to 7.2.0 has a security vulnerability in the My Preferences save functionality. An attacker could exploit this vulnerability to modify their own persona

Trust: 1.71

sources: NVD: CVE-2019-19202 // JVNDB: JVNDB-2019-012577 // VULHUB: VHN-151625

AFFECTED PRODUCTS

vendor:	vtiger	model:	crm	scope:	lt	version:	7.2.0	Trust: 1.0
vendor:	vtiger	model:	crm	scope:	gte	version:	7.0	Trust: 1.0
vendor:	vtiger	model:	crm	scope:	lt	version:	7.x	Trust: 0.8
vendor:	vtiger	model:	crm	scope:	eq	version:	7.2.0	Trust: 0.8
vendor:	vtiger	model:	crm	scope:	eq	version:	7.0	Trust: 0.6
vendor:	vtiger	model:	crm	scope:	eq	version:	7.1.0	Trust: 0.6
vendor:	vtiger	model:	crm	scope:	eq	version:	7.0.1	Trust: 0.6

sources: JVNDB: JVNDB-2019-012577 // CNNVD: CNNVD-201911-1268 // NVD: CVE-2019-19202

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-19202
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-19202
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201911-1268
value:	HIGH
Trust: 0.6
VULHUB:	VHN-151625
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-19202
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-151625
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-19202
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2019-19202
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-151625 // JVNDB: JVNDB-2019-012577 // CNNVD: CNNVD-201911-1268 // NVD: CVE-2019-19202

PROBLEMTYPE DATA

problemtype:

CWE-276

Trust: 1.9

sources: VULHUB: VHN-151625 // JVNDB: JVNDB-2019-012577 // NVD: CVE-2019-19202

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201911-1268

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201911-1268

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-012577

PATCH

title:	Insufficient permission checking on "roleid" parameter during profile edition	url:	https://code.vtiger.com/vtiger/vtigercrm/issues/1126	Trust: 0.8
title:	[Vtigercrm-developers] Vtiger CRM 7.1.0 (hotfix3) Released	url:	http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-April/037964.html	Trust: 0.8
title:	Vtiger CRM Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=104046	Trust: 0.6

sources: JVNDB: JVNDB-2019-012577 // CNNVD: CNNVD-201911-1268

EXTERNAL IDS

db:	NVD	id:	CVE-2019-19202	Trust: 2.5
db:	JVNDB	id:	JVNDB-2019-012577	Trust: 0.8
db:	CNNVD	id:	CNNVD-201911-1268	Trust: 0.7
db:	VULHUB	id:	VHN-151625	Trust: 0.1

sources: VULHUB: VHN-151625 // JVNDB: JVNDB-2019-012577 // CNNVD: CNNVD-201911-1268 // NVD: CVE-2019-19202

REFERENCES

url:	http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-april/037964.html	Trust: 1.7
url:	https://code.vtiger.com/vtiger/vtigercrm/issues/1126	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-19202	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-19202	Trust: 0.8
url:	https://vigilance.fr/vulnerability/vtiger-crm-privilege-escalation-via-profile-edition-role-id-30943	Trust: 0.6

sources: VULHUB: VHN-151625 // JVNDB: JVNDB-2019-012577 // CNNVD: CNNVD-201911-1268 // NVD: CVE-2019-19202

SOURCES

db:	VULHUB	id:	VHN-151625
db:	JVNDB	id:	JVNDB-2019-012577
db:	CNNVD	id:	CNNVD-201911-1268
db:	NVD	id:	CVE-2019-19202

LAST UPDATE DATE

2024-11-23T23:08:09.058000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-151625	date:	2019-12-04T00:00:00
db:	JVNDB	id:	JVNDB-2019-012577	date:	2019-12-05T00:00:00
db:	CNNVD	id:	CNNVD-201911-1268	date:	2019-12-05T00:00:00
db:	NVD	id:	CVE-2019-19202	date:	2024-11-21T04:34:19.083

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-151625	date:	2019-11-21T00:00:00
db:	JVNDB	id:	JVNDB-2019-012577	date:	2019-12-05T00:00:00
db:	CNNVD	id:	CNNVD-201911-1268	date:	2019-11-21T00:00:00
db:	NVD	id:	CVE-2019-19202	date:	2019-11-21T20:15:15.833