Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Authenticated attacker (PR:L) crosses tenant boundary (S:C) achieving low integrity-only impact; no confidentiality or availability effect applies.
Primary rating from Vendor (Secur0).
CVSS VectorVendor: Secur0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Authorization Bypass Through User-Controlled Key (CWE-639) in the Excel import handlers (CustomerImport, LeadImport, ProductImport) in Roskus Prospero Flow CRM before 5.14.0 allows a remote, authenticated user of any role or company to create customer, lead, and product records inside another company's tenant via a spreadsheet whose company_id column points to the victim tenant, uploaded to POST /customer/import/excel/save, which maps company_id directly from the file and performs no check that it matches the authenticated user's company.
AnalysisAI
Cross-tenant record injection in Roskus Prospero Flow CRM before 5.14.0 allows any authenticated user to silently insert customer, lead, and product records into a competing company's tenant by manipulating the company_id field in an uploaded Excel spreadsheet. The three affected import handlers (CustomerImport, LeadImport, ProductImport) map company_id directly from the user-controlled file without verifying it matches the authenticated session's own company, collapsing the multi-tenant data isolation boundary. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated session in any user role within a Prospero Flow CRM instance before version 5.14.0 - the CVE description confirms 'any role or company' is sufficient, meaning the lowest-privileged non-admin account qualifies (the provided CVSS 4.0 vector's PR:N is a scoring error contradicting this requirement). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 4.0 vector lists PR:N (no privileges required), which directly conflicts with the CVE description, which explicitly states exploitation requires 'a remote, authenticated user of any role or company' - this is a confirmed CVSS scoring error that overstates the unauthenticated attack surface and must not be used for risk-tier decisions without correction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated user at Company A constructs an Excel spreadsheet in which the company_id column is populated with Company B's tenant identifier - obtainable by observing the application UI, enumerating integer IDs, or through prior legitimate access - and uploads it to the CRM's customer import endpoint. The server maps company_id directly from the file and creates the specified customer, lead, or product records within Company B's data namespace with no ownership check, silently polluting their CRM data. … |
| Remediation | Upgrade to Prospero Flow CRM version 5.14.0 or later, which resolves the vulnerability by replacing $row['company_id'] with Auth::user()->company_id in all three import handlers (patch commit bdd6c9770a7435a45f0411154671b8a3e94dcdaa, available at https://github.com/Roskus/prospero-flow-crm/commit/bdd6c9770a7435a45f0411154671b8a3e94dcdaa; tagged release at https://github.com/Roskus/prospero-flow-crm/releases/tag/v5.14.0). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Prospero Flow Crm
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44622
GHSA-rpp3-j482-5g39