This vulnerability is a Broken Object-Level Authorization (BOLA) issue affecting the /Contact/Persons/PersonController.php endpoint in Webkul Krayin CRM version 2.2.x. It allows authenticated users with low privileges to bypass authorization controls and perform unauthorized read, modify, and delete operations on contact records owned by other users by crafting specific GET requests. The CVSS 3.1 base score is 8.1, reflecting high impact on confidentiality, integrity, and availability with low attack complexity and no user interaction required. The vulnerability is published but lacks an official remediation level or patch information. The affected software is not a cloud service, so remediation depends on vendor patch releases.

Successful exploitation allows an authenticated attacker to access, alter, or permanently delete any contact data belonging to other users within the CRM system. This compromises data confidentiality, integrity, and availability, potentially leading to data loss or unauthorized data disclosure. The vulnerability requires only low privileges and no user interaction, increasing the risk of exploitation. However, there are no known exploits in the wild currently.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to the affected endpoint to trusted users only and monitor for suspicious activity. Avoid granting unnecessary privileges to users and consider implementing additional access controls at the application or network level to limit exposure.