PT-2026-55537 · Unknown · Prospero Flow Crm
Gustavo Novaro
+2
·
Published
2026-07-03
·
Updated
2026-07-03
·
CVE-2026-59234
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Prospero Flow CRM versions prior to 5.5.3
Description
An authorization bypass exists in the
CalendarDeleteEventController (app/Http/Controllers/Calendar/CalendarDeleteEventController.php) via the GET '/calendar/event/delete/{id}' endpoint. A remote, authenticated attacker can delete arbitrary calendar events belonging to other users by manipulating the {id} path parameter. This occurs because the delete handler uses the Calendar::find($id)->delete() function without performing ownership checks, such as scoping by user id or company id, leading to unauthorized destruction of data across the platform.Recommendations
Update Prospero Flow CRM to version 5.5.3 or later.
As a temporary mitigation, restrict access to the '/calendar/event/delete/{id}' endpoint.
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Prospero Flow Crm