Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS00NGd2LWZnY2otdzU0Ns0g7w

Missing Authorization in DayByDay CRM

In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the appointments of all users in the system including administrators. However, this type of user is not authorized to view the calendar at all.

Permalink: https://github.com/advisories/GHSA-44gv-fgcj-w546
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00NGd2LWZnY2otdzU0Ns0g7w
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 3 years ago
Updated: almost 2 years ago


CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS Percentage: 0.0005
EPSS Percentile: 0.20528

Identifiers: GHSA-44gv-fgcj-w546, CVE-2022-22107
References: Repository: https://github.com/Bottelet/DaybydayCRM
Blast Radius: 1.0

Affected Packages

packagist:bottelet/flarepoint
Dependent packages: 0
Dependent repositories: 0
Downloads: 72 total
Affected Version Ranges: >= 2.0.0, < 2.2.1
Fixed in: 2.2.1
All affected versions: 2.0.0, 2.1.0, 2.2.0
All unaffected versions: 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 2.2.1