CVE-2026-59236 in Prospero Flow CRM情報

要約

〜によって MITRE • 2026年07月15日

Authorization Bypass Through User-Controlled Key (CWE-639) in the Excel import handlers (CustomerImport, LeadImport, ProductImport) in Roskus Prospero Flow CRM before 5.14.0 allows a remote, authenticated user of any role or company to create customer, lead, and product records inside another company's tenant via a spreadsheet whose company_id column points to the victim tenant, uploaded to POST /customer/import/excel/save, which maps company_id directly from the file and performs no check that it matches the authenticated user's company.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

責任者

Secur0

予約する

2026年07月03日

モデレーション

承諾済み

エントリ

VDB-379213

EPSS

0.00000

アクティビティ

低い

ソース

Want to stay up to date on a daily basis?

Enable the mail alert feature now!