Impact
The vulnerability is an Authorization Bypass via a user‑controlled key, reflected in the CalendarDeleteEventController of Prospero Flow CRM. The delete endpoint resolves the event record by ID and removes it with no ownership check. As a result, an authenticated attacker can delete any calendar event belonging to other users, leading to loss of data and disruption of schedules. This flaw corresponds to CWE-639 and compromises the integrity of user‑generated content.
Affected Systems
The flaw affects the Roskus Prospero Flow CRM product and is present in all releases earlier than version 5.5.3. The security advisory recommends upgrading to v5.5.3 or later, where the delete handler includes proper authorization checks. The vulnerability is exposed at the HTTP GET path /calendar/event/delete/{id} and requires authenticated access.
Risk and Exploitability
The overall severity is a CVSS score of 6.9, indicating a moderate risk. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Because the attack requires only authenticated access and manipulation of the URL path, it is likely to be easy to exploit by any user with valid credentials. The lack of ownership validation allows deletion of events across the platform, leading to integrity violations. Prompt remediation is advised even though the risk is moderate.
OpenCVE Enrichment