CVE-2022-22108

DayByDay CRM - Missing Authorization when Viewing Absences

CVSS 4.3 MEDIUMEPSS 0.7%CWE-862

In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the absences of all users in the system including administrators. This type of user is not authorized to view this kind of information.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Productos afectados

Bottelet · DaybydayCRM Bottelet · flarepoint

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/Bottelet/DaybydayCRM/commit/fe842ea5ede237443f1f45a99aeb839133115d8b https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22108