| タイトル | Indotalent Free-CRM v1.0 commit: b83c40a90726d5e58f0cc680ffdcaa28a03fb5d1 Improper Authorization |
|---|
| 説明 | An authorization vulnerability chain in Free-CRM v1.0 and earlier allows a low-privileged authenticated user to enumerate, access, and modify arbitrary user accounts, including administrators. The issue stems from an unauthenticated Swagger endpoint that discloses internal API structure combined with missing server-side authorization checks on privileged security APIs such as /api/Security/GetUserList, /api/Security/GetMyProfileList, and /api/Security/UpdateUser. By invoking these endpoints with a normal user bearer token, an attacker can obtain sensitive profile information and perform unauthorized account modifications, resulting in complete compromise of user management functionality and full administrative impact. |
|---|
| ソース | ⚠️ https://github.com/Ghufran2/CVE-Free-CRM-Advisories/blob/main/Free-CRM%20IDOR.md |
|---|
| ユーザー | Ghufran Khan (UID 95493) |
|---|
| 送信 | 2026年02月14日 15:18 (2 月 ago) |
|---|
| モデレーション | 2026年02月26日 15:44 (12 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 347988 [go2ismail Free-CRM 迄 b83c40a90726d5e58f0cc680ffdcaa28a03fb5d1 Security API /api/Security/ 特権昇格] |
|---|
| ポイント | 20 |
|---|