Vulnerability Description
In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the appointments of all users in the system including administrators. However, this type of user is not authorized to view the calendar at all.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Daybydaycrm | Daybyday Crm | >= 2.0.0, <= 2.2.0 |
Related Weaknesses (CWE)
References
- https://github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69bPatchThird Party Advisory
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22107Third Party Advisory
- https://github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69bPatchThird Party Advisory
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22107Third Party Advisory
FAQ
What is CVE-2022-22107?
CVE-2022-22107 is a vulnerability with a CVSS score of 4.3 (MEDIUM). In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the appointments of all users i...
How severe is CVE-2022-22107?
CVE-2022-22107 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-22107?
Check the references section above for vendor advisories and patch information. Affected products include: Daybydaycrm Daybyday Crm.