CVE-2021-39198 MEDIUM

CVE-2021-39198: The disqualify lead action may be executed without CSRF token check

Vendor Oroinc
Product crm
Weakness CWE-352 · CSRF
Published November 19, 2021
Last update August 4, 2024

CVSS base score

4.2/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

OroCRM is an open source Client Relationship Management (CRM) application. Affected versions we found to suffer from a vulnerability which could an attacker is able to disqualify any Lead with a Cross-Site Request Forgery (CSRF) attack. There are no workarounds that address this vulnerability and all users are advised to update their package.

Key dates

02Disclosure timeline

November 19, 2021 CVE published
August 4, 2024 Record updated