Lucene search
K

10 matches found

Cvelist
Cvelist
added 10 hours ago7 views

CVE-2026-59236 Authorization bypass in Prospero Flow CRM Excel import allows cross-tenant record injection

Authorization Bypass Through User-Controlled Key CWE-639 in the Excel import handlers CustomerImport, LeadImport, ProductImport in Roskus Prospero Flow CRM before 5.14.0 allows a remote, authenticated user of any role or company to create customer, lead, and product records inside another company...

6.9CVSS
Exploits0References3
CVE
CVE
added 10 hours ago9 views

CVE-2026-59236

Roskus Prospero Flow CRM (pre-5.14.0) is affected by CVE-2026-59236: Authorization bypass in Excel import handlers (CustomerImport, LeadImport, ProductImport). A remote, authenticated user can inject records into another tenant by supplying a spreadsheet with a company_id pointing to the victim t...

6.9CVSS6.1AI score
Exploits0References3
EUVD
EUVD
added 10 hours ago3 views

EUVD-2026-44622

Authorization Bypass Through User-Controlled Key CWE-639 in the Excel import handlers CustomerImport, LeadImport, ProductImport in Roskus Prospero Flow CRM before 5.14.0 allows a remote, authenticated user of any role or company to create customer, lead, and product records inside another company...

6.9CVSS6.1AI score
Exploits0References3
Cvelist
Cvelist
added 10 hours ago9 views

CVE-2026-59235 Missing authorization in Prospero Flow CRM allows low-privileged users to read all bank accounts

Missing Authorization CWE-862 in BankAccountListController app/Http/Controllers/Api/BankAccount/BankAccountListController.php, exposed at GET /api/bank-account, in Prospero Flow CRM companyid-get, performing only company scoping and no role or permission check before returning the data. This...

8.7CVSS
Exploits0References3
EUVD
EUVD
added 10 hours ago4 views

EUVD-2026-44608

Missing Authorization CWE-862 in BankAccountListController app/Http/Controllers/Api/BankAccount/BankAccountListController.php, exposed at GET /api/bank-account, in Prospero Flow CRM companyid-get, performing only company scoping and no role or permission check before returning the data. This...

8.7CVSS6.2AI score
Exploits0References3
CVE
CVE
added 2026/07/03 12:47 p.m.16 views

CVE-2026-59234

This CVE affects Prospero Flow CRM prior to version 5.5.3. The vulnerability lies in the CalendarDeleteEventController (app/Http/Controllers/Calendar/CalendarDeleteEventController.php), exposed at the GET endpoint /calendar/event/delete/{id} . The delete logic uses Calendar::find($id)->delete(...

6.9CVSS6AI score0.00403EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/07/03 12:47 p.m.36 views

CVE-2026-59234 Authorization Bypass Through User-Controlled Key in Prospero Flow CRM calendar event deletion

Authorization Bypass Through User-Controlled Key CWE-639 in CalendarDeleteEventController app/Http/Controllers/Calendar/CalendarDeleteEventController.php, exposed at GET /calendar/event/delete/id, in Prospero Flow CRM before 5.5.3 allows a remote, authenticated attacker to delete arbitrary calend...

6.9CVSS0.00403EPSS
Exploits0References3
EUVD
EUVD
added 2026/07/03 12:47 p.m.11 views

EUVD-2026-41539

Authorization Bypass Through User-Controlled Key CWE-639 in CalendarDeleteEventController app/Http/Controllers/Calendar/CalendarDeleteEventController.php, exposed at GET /calendar/event/delete/id, in Prospero Flow CRM before 5.5.3 allows a remote, authenticated attacker to delete arbitrary calend...

6.9CVSS6AI score0.00403EPSS
Exploits0References3
OSV
OSV
added 2026/07/03 12:47 p.m.3 views

CVE-2026-59234 Authorization Bypass Through User-Controlled Key in Prospero Flow CRM calendar event deletion

Authorization Bypass Through User-Controlled Key CWE-639 in CalendarDeleteEventController app/Http/Controllers/Calendar/CalendarDeleteEventController.php, exposed at GET /calendar/event/delete/id, in Prospero Flow CRM before 5.5.3 allows a remote, authenticated attacker to delete arbitrary calend...

6.9CVSS6AI score0.00403EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/07/03 12:0 a.m.9 views

PT-2026-55537

Name of the Vulnerable Software and Affected Versions Prospero Flow CRM versions prior to 5.5.3 Description An authorization bypass exists in the CalendarDeleteEventController app/Http/Controllers/Calendar/CalendarDeleteEventController.php via the GET '/calendar/event/delete/id' endpoint. A remot...

6.9CVSS6AI score0.00403EPSS
Exploits0References7
Rows per page
Query Builder