Priority and severity ratings are determined as described here.
This security update resolves a vulnerability in Lime CRM Server. The vulnerability could allow remote code execution in Lime CRM Server if an attacker alters the system configuration in a malicious way. However, an attacker would need access to a user account with administrator privileges in order to succeed with exploiting the vulnerability.
| Product | Version | Platform |
|---|---|---|
| Lime CRM Server | 12.25 - 12.41.1.5 | All platforms |
Lime categorizes this update with the following priority rating and recommends customers to either install the provided hotfix or update their installation to the newest version:
A remote code execution vulnerability exists in Lime CRM Server software when the software fails to properly validate configuration data input by users with administrator privileges. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the user running the Lime CRM Web Server service. If that user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in this situation:
Workaround refers to a setting or configuration change that would help block known attack vectors before you apply the update.
https://lime.example.com/<appname>/api/v1/activitytype/ https://lime.example.com/<appname>/widgets/widget-salespipe/config https://lime.example.com/<appname>/webclient/add/config
The impact of this workaround is that it will not be possible to update Lime CRM Web Client configuration until rules are disabled or removed.