Vulnerability Details CVE-2022-22107
In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the appointments of all users in the system including administrators. However, this type of user is not authorized to view the calendar at all.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 36.5%
CVSS Severity
CVSS v3 Score 4.3
CVSS v2 Score 4.0
References
- https://github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69b6bd661b
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22107
- https://github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69b6bd661b
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22107
Products affected by CVE-2022-22107
-
cpe:2.3:a:daybydaycrm:daybyday_crm:2.2.0