VTiger CRM <= 8.1.0 does not correctly check user privileges. A low-privileged user can interact directly with the Migration administrative module to disable arbitrary modules.
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.