PT-2024-28901 · Unknown · Pantera Crm
Published
2024-08-05
·
Updated
2024-10-24
·
CVE-2024-40531
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Pantera CRM versions 401.152 through 402.072
Description
A mass assignment issue exists, allowing authenticated users to modify any user attribute, including roles, by injecting additional parameters via profile management functions.
Recommendations
For versions 401.152 and 402.072, consider restricting access to profile management functions until a fix is available.
As a temporary workaround, limit the ability of authenticated users to modify user attributes, especially roles, to minimize the risk of exploitation.
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pantera Crm