CVE-2009-3257

vtiger CRM before 5.1.0 allows remote authenticated users to bypass the permissions on the (1) Account Billing Address and (2) Shipping Address fields in a profile by creating a Sales Order (SO) associated with that profile.

Date published : 2009-09-18

http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5055

http://secunia.com/advisories/36309