In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the appointments of all users in the system including administrators. However, this type of user is not authorized to view the calendar at all.
References
Link | Resource |
---|---|
https://github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69b6bd661b | Patch Third Party Advisory |
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22107 | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: Mend
Published: 2022-01-05T15:05:16
Updated: 2022-01-05T15:05:16
Reserved: 2021-12-21T00:00:00
Link: CVE-2022-22107
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-01-05T15:15:07.720
Modified: 2022-01-08T02:49:40.197
Link: CVE-2022-22107
JSON object: View
Redhat Information
No data.
CWE