icon

We found results for “

CVE-2022-22111

Date: January 5, 2022

Overview

In DayByDay CRM, version 2.2.0 is vulnerable to missing authorization. Any application user in the application who has update user permission enabled is able to change the password of other users, including the administrator’s. This allows the attacker to gain access to the highest privileged user in the application.

Details

DayByDay CRM allows any user (including low privileged users) in an application with “Update a User” permission set to change the password of any other users (including administrators) beyond his role and department access. This allows the attacker to escalate his privileges to the highest level.

PoC Details

For demonstration purposes we'll use:
alice@alice.com, a low privileged user with an “Update a User” role.
admin@admin.com, a highest privileged administrator.
Login into the application as Admin, and verify the “update user” role is enabled to an “Employee” type under Roles & Permissions Management in settings on the left panel.
Now login as Alice, and click edit on Admin user in All users under users section in the left panel.
Change Admin’s password, and a message approving the password change will be displayed.
You now have full access to the admin’s account.

Affected Environments

bottelet/flarepoint - 2.2.0

Prevention

Update to 2.2.1 in "bottelet/flarepoint" package, 2.2.1 in "Bottelet/DaybydayCRM" repo.

Language: PHP

Good to know:

icon

Missing Authorization

CWE-862
icon

Upgrade Version

Upgrade to version bottelet/flarepoint - 2.2.1

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (AU): Single
Confidentiality (C): Partial
Integrity (I): Partial
Availability (A): Partial
Additional information: