CVE Vulnerability

CVE-2022-22107

In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the appointments of all users in the system including administrators. However, this type of user is not authorized to view the calendar at all.

4 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

Scope

4.3 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69b6bd661b Patch Third Party Advisory
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22107 Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:daybydaycrm:daybyday_crm:*:*:*:*:*:*:*:*
Information

Published : 2022-01-05 03:15

Updated : 2022-01-08 02:49

NVD link : CVE-2022-22107

Mitre link : CVE-2022-22107

Products Affected
No products.
CWE
CWE-862