Description
In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the absences of all users in the system including administrators. This type of user is not authorized to view this kind of information.
References (2)
Core 2
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/Bottelet/DaybydayCRM/commit/fe842ea5ede237443f1f45a99aeb839133115d8b
Third Party Advisory x_refsource_misc
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22108
Scores
CVSS v3
4.3
EPSS
0.0015
EPSS Percentile
35.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-862
Status
published
Products (2)
bottelet/flarepoint
2.0.0 - 2.2.1Packagist
daybydaycrm/daybyday_crm
2.0.0 - 2.2.0
Published
Jan 05, 2022
Tracked Since
Feb 18, 2026