This vulnerability arises from improper authorization checks at the object level in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x. An attacker with low privileges but authenticated access can craft HTTP requests to reset passwords of other users arbitrarily, leading to full account compromise. The CVSS 3.1 vector indicates the attack requires low privileges and no user interaction, with network attack complexity and high impact on confidentiality, integrity, and availability. No vendor advisory or patch information is provided, leaving remediation status unknown.

Successful exploitation allows an authenticated attacker to reset any user's password, resulting in full account takeover. This compromises user confidentiality and integrity, potentially leading to unauthorized access to sensitive data and administrative functions within the CRM. The high CVSS score reflects the critical nature of this vulnerability.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict authenticated user privileges to the minimum necessary and monitor for suspicious password reset activities. Avoid exposing the vulnerable endpoint to untrusted users if possible.