CVE-2007-3598 - Vulnerability Details - OpenCVE

index.php in vtiger CRM before 5.0.3 allows remote authenticated users to obtain all users' names and e-mail addresses, and possibly change user settings, via a modified record parameter in a DetailView action to the Users module. NOTE: the vendor disputes the changing of settings, reporting that the attack vector results in a "You are not permitted to execute this Operation" error message in a 5.0.3 demo.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Vtiger	Vtiger Crm

Configuration 1 [-]

cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://forums.vtiger.com/viewtopic.php?p=38609
http://trac.vtiger.com/cgi-bin/trac.cgi/report/9
http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2664
http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2985

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2007-07-06T19:00:00Z

Updated: 2024-09-16T18:44:01.936Z

Reserved: 2007-07-06T00:00:00Z

Link: CVE-2007-3598

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2007-07-06T19:30:00.000

Modified: 2025-04-09T00:30:58.490

Link: CVE-2007-3598

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "index.php in vtiger CRM before 5.0.3 allows remote authenticated users to obtain all users' names and e-mail addresses, and possibly change user settings, via a modified record parameter in a DetailView action to the Users module. NOTE: the vendor disputes the changing of settings, reporting that the attack vector results in a \"You are not permitted to execute this Operation\" error message in a 5.0.3 demo."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2007-07-06T19:00:00Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2985"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2664"}, {"tags": ["x_refsource_MISC"], "url": "http://forums.vtiger.com/viewtopic.php?p=38609"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2007-3598", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "index.php in vtiger CRM before 5.0.3 allows remote authenticated users to obtain all users' names and e-mail addresses, and possibly change user settings, via a modified record parameter in a DetailView action to the Users module. NOTE: the vendor disputes the changing of settings, reporting that the attack vector results in a \"You are not permitted to execute this Operation\" error message in a 5.0.3 demo."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2985", "refsource": "CONFIRM", "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2985"}, {"name": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2664", "refsource": "CONFIRM", "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2664"}, {"name": "http://forums.vtiger.com/viewtopic.php?p=38609", "refsource": "MISC", "url": "http://forums.vtiger.com/viewtopic.php?p=38609"}, {"name": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9", "refsource": "CONFIRM", "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T14:21:36.463Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2985"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2664"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://forums.vtiger.com/viewtopic.php?p=38609"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2007-3598", "datePublished": "2007-07-06T19:00:00Z", "dateReserved": "2007-07-06T00:00:00Z", "dateUpdated": "2024-09-16T18:44:01.936Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vtiger:vtiger_crm:*:*:*:*:*:*:*:*", "matchCriteriaId": "9E8668A7-60BA-45AA-A159-26890ADB6A0A", "versionEndIncluding": "5.0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "index.php in vtiger CRM before 5.0.3 allows remote authenticated users to obtain all users' names and e-mail addresses, and possibly change user settings, via a modified record parameter in a DetailView action to the Users module. NOTE: the vendor disputes the changing of settings, reporting that the attack vector results in a \"You are not permitted to execute this Operation\" error message in a 5.0.3 demo."}, {"lang": "es", "value": "index.php de vtiger CRM versiones anteriores a 5.0.3 permite a usuarios remotos autenticados obtener todos los nombres de usuario y direcciones de correo electr\u00f3nico, y posiblemente cambiar propiedades de usuario, mediante un par\u00e1metro de registro modificado en una acci\u00f3n DetailView en el m\u00f3dulo Users.\r\nNOTA: El fabricante impugna el cambio de propiedades, argumentando que el vector de ataque concluye con un mensaje de error \"No est\u00e1s autorizado a ejecutar esta Operaci\u00f3n\" en una demostraci\u00f3n 5.0.3."}], "id": "CVE-2007-3598", "lastModified": "2025-04-09T00:30:58.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 5.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2007-07-06T19:30:00.000", "references": [{"source": "cve@mitre.org", "url": "http://forums.vtiger.com/viewtopic.php?p=38609"}, {"source": "cve@mitre.org", "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"}, {"source": "cve@mitre.org", "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2664"}, {"source": "cve@mitre.org", "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2985"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://forums.vtiger.com/viewtopic.php?p=38609"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/report/9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2664"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2985"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}