icon

We found results for “

CVE-2022-22108

Date: January 5, 2022

Overview

In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the absences of all users in the system including administrators. This type of user is not authorized to view this kind of information.

Details

In Daybyday CRM, an attacker that has the lowest privileges account (employee type user), can view the absences of all users in the system including administrators. This type of user is not authorized to view this kind of information. Yet the attacker can still access the relevant page by simply adding “/users/calendar-users'' to the url.

PoC Details

For demonstration purposes we'll use test@user.com (low privileged user).
Login with test@user.com. Add “/users/calendar-users” to the url, and the absences for all the users will be available in the returned JSON data.

Affected Environments

bottelet/flarepoint - 2.0.0 through 2.2.0

Prevention

Update to 2.2.1 in "bottelet/flarepoint" package, 2.2.1 in "Bottelet/DaybydayCRM" repo.

Language: PHP

Good to know:

icon

Missing Authorization

CWE-862
icon

Upgrade Version

Upgrade to version bottelet/flarepoint - 2.2.1

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): Low
Integrity (I): None
Availability (A): None
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (AU): Single
Confidentiality (C): Partial
Integrity (I): None
Availability (A): None
Additional information: