CVE-2007-3598

Name of the Vulnerable Software and Affected Versions vtiger CRM versions prior to 5.0.3

Description The issue allows remote authenticated users to obtain all users' names and e-mail addresses via a modified record parameter in a "DetailView" action to the "Users" module. It is reported that the attack might also allow changing user settings, although the vendor disputes this, stating that it results in a "You are not permitted to execute this Operation" error message.

Recommendations For versions prior to 5.0.3, update to version 5.0.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the "Users" module to minimize the risk of exploitation.