In Vtiger 7.x prior to 7.2.0, the My Preferences saving functionality allows a user without administrative privileges to change his own role by adding roleid=H2 to a POST request.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
vtiger vtiger crm |