CVE-2009-3257 Information

Description

vtiger CRM before 5.1.0 allows remote authenticated users to bypass the permissions on the (1) Account Billing Address and (2) Shipping Address fields in a profile by creating a Sales Order (SO) associated with that profile.

Reference

http://secunia.com/advisories/36309 http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5055