In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the absences of all users in the system including administrators. This type of user is not authorized to view this kind of information.
References
Link | Resource |
---|---|
https://github.com/Bottelet/DaybydayCRM/commit/fe842ea5ede237443f1f45a99aeb839133115d8b | Patch Third Party Advisory |
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22108 | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: Mend
Published: 2022-01-05T15:05:18
Updated: 2022-01-05T15:05:18
Reserved: 2021-12-21T00:00:00
Link: CVE-2022-22108
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-01-05T15:15:07.787
Modified: 2022-01-08T02:49:50.347
Link: CVE-2022-22108
JSON object: View
Redhat Information
No data.
CWE