CVE-2021-39198

MEDIUM

Oroinc Client Relationship Management < 3.1.24 - CSRF

Title source: rule
STIX 2.1

Description

OroCRM is an open source Client Relationship Management (CRM) application. Affected versions we found to suffer from a vulnerability which could an attacker is able to disqualify any Lead with a Cross-Site Request Forgery (CSRF) attack. There are no workarounds that address this vulnerability and all users are advised to update their package.

References (1)

Core 1
Core References

Scores

CVSS v3 4.2
EPSS 0.0030
EPSS Percentile 22.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L

Details

CWE
CWE-352
Status published
Products (2)
oro/crm 3.1.0 - 4.1.17Packagist
oroinc/client_relationship_management 3.1.0 - 3.1.24
Published Nov 19, 2021
Tracked Since Feb 18, 2026