CVE-2022-22107

MEDIUM4.3EPSS 0.15%

Missing Authorization in DayByDay CRM

Published: 1/8/2022Modified: 11/8/2023

Description

In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the appointments of all users in the system including administrators. However, this type of user is not authorized to view the calendar at all.

Affected packages (1)

Packagist/bottelet/flarepoint>= 2.0.0, < 2.2.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-22107
PATCHhttps://github.com/Bottelet/DaybydayCRM
WEBhttps://github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69b6bd661b
WEBhttps://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22107