CVE-2022-22107
4.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the appointments of all users in the system including administrators. However, this type of user is not authorized to view the calendar at all.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Bottelet | DaybydayCRM | 2.0.0 < unspecified | affected |
| Bottelet | DaybydayCRM | unspecified <= 2.2.0 | affected |
| Bottelet | flarepoint | 2.0.0 < unspecified | affected |
| Bottelet | flarepoint | unspecified <= 2.2.0 | affected |
Weaknesses
- CWE-862: CWE-862 Missing Authorization
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69b6bd661b
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22107
References
- https://github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69b6bd661b
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22107
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.