CVE-2023-38891

Name of the Vulnerable Software and Affected Versions Vtiger CRM version 7.5.0

Description A SQL injection issue allows a remote authenticated attacker to escalate privileges via the getQueryColumnsList function in ReportRun.php. This enables the attacker to potentially gain higher access levels within the system.

Recommendations For Vtiger CRM version 7.5.0, update to a version that includes a fix for this issue, as using the getQueryColumnsList function in ReportRun.php can lead to privilege escalation. As a temporary workaround, consider restricting access to the ReportRun.php file or disabling the getQueryColumnsList function until a patch is available.