CVE-2021-39198

Published: Nov 19, 2021Modified: Nov 21, 2024

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

Exploitability: 2.8 / Impact: 2.5

Source: NVD

Description

OroCRM is an open source Client Relationship Management (CRM) application. Affected versions we found to suffer from a vulnerability which could an attacker is able to disqualify any Lead with a Cross-Site Request Forgery (CSRF) attack. There are no workarounds that address this vulnerability and all users are advised to update their package.

Affected (3)

Products: Oroinc: Client Relationship Management

Oroinc

1 product

Client Relationship Management

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Oroinc Client Relationship Management	From 3.1.0 to 3.1.24
Oroinc Client Relationship Management	From 4.1.0 to 4.1.15
Oroinc Client Relationship Management	From 4.2.0 to 4.2.5

Related CWEs

CWE-352

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (2)

https://github.com/oroinc/crm/security/advisories/GHSA-vf7h-6246-hm43

Source: security-advisories@github.com

Third Party Advisory

https://github.com/oroinc/crm/security/advisories/GHSA-vf7h-6246-hm43

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.