CVE-2022-22113

Overview

In DayByDay CRM, versions 2.2.0 through 2.2.1 (latest) are vulnerable to Insufficient Session Expiration. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed.

Details

The “DayByDay” application is built on Laravel framework. It improperly terminates the session when a password has been changed. An already logged in user can still access the application even after password change. There is no session validation for an active session after the password change.

PoC Details

For demonstration purposes we will use two users:
Bob, a low privileged user.
Administrator, a highly privileged user.
Login to the application as Bob.
In another browser, login as Administrator and observe that Bob is online.
Now edit the user Bob from the “all users” page under the “users” section in the left panel.
Change the password of Bob.
Now in the first browser session, open the already logged in Bob account and press on “Create an Offer” under the Leads section, to check whether the user can still access the application after password change.
Proceed and create an offer with the necessary details needed to complete the form.
The data has been updated successfully, thus the session is still active even after the password was changed.

Affected Environments

bottelet/flarepoint - 2.2.0 through 2.2.1 (latest)

Remediation

The current session should be destroyed whenever a user requests for a password change.

Prevention

No fix was provided