Overview
In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the absences of all users in the system including administrators. This type of user is not authorized to view this kind of information.
Details
In Daybyday CRM, an attacker that has the lowest privileges account (employee type user), can view the absences of all users in the system including administrators. This type of user is not authorized to view this kind of information. Yet the attacker can still access the relevant page by simply adding “/users/calendar-users'' to the url.
PoC Details
For demonstration purposes we'll use test@user.com (low privileged user).
Login with test@user.com. Add “/users/calendar-users” to the url, and the absences for all the users will be available in the returned JSON data.
Affected Environments
bottelet/flarepoint - 2.0.0 through 2.2.0
Prevention
Update to 2.2.1 in "bottelet/flarepoint" package, 2.2.1 in "Bottelet/DaybydayCRM" repo.