CVE-2022-22107

Overview

In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the appointments of all users in the system including administrators. However, this type of user is not authorized to view the calendar at all.

Details

In Daybyday CRM, an attacker that has the lowest privileges account (employee type user), can view the appointments of all users in the system including administrators. This type of user is not authorized to view the calendar at all, Yet the attacker can still access the calendar by simply adding /appointments/calendar to the url.

PoC Details

For demonstration purposes we'll use 2 users:
test@user.com (low privileged user)
admin@admin.com (administrator).
Login with Username “admin@admin.com”. Go to appointments and create a new appointment for the administrator.
Logoff and login now with test@user.com. You will notice that he has no appointments option on the side menu as the administrator has. Add /appointments/calendar to the url and you will see the calendar of all users and their appointments including the one you’ve just created as the administrator.

Affected Environments

bottelet/flarepoint - 2.0.0 through 2.2.0

Prevention

Update to 2.2.1 in "bottelet/flarepoint" package, 2.2.1 in "Bottelet/DaybydayCRM" repo.