Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00NGd2LWZnY2otdzU0Ns0g7w
Missing Authorization in DayByDay CRM
In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the appointments of all users in the system including administrators. However, this type of user is not authorized to view the calendar at all.
Permalink: https://github.com/advisories/GHSA-44gv-fgcj-w546JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00NGd2LWZnY2otdzU0Ns0g7w
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 3 years ago
Updated: almost 2 years ago
CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS Percentage: 0.0005
EPSS Percentile: 0.20528
Identifiers: GHSA-44gv-fgcj-w546, CVE-2022-22107
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-22107
- https://github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69b6bd661b
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22107
- https://github.com/advisories/GHSA-44gv-fgcj-w546
Blast Radius: 1.0
Affected Packages
packagist:bottelet/flarepoint
Dependent packages: 0Dependent repositories: 0
Downloads: 72 total
Affected Version Ranges: >= 2.0.0, < 2.2.1
Fixed in: 2.2.1
All affected versions: 2.0.0, 2.1.0, 2.2.0
All unaffected versions: 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 2.2.1