Lucene search

[email protected]NVD:CVE-2022-22108

HistoryJan 05, 2022 - 3:15 p.m.

CVE-2022-22108

2022-01-0515:15:07

CWE-862

[email protected]

web.nvd.nist.gov

daybyday crm

missing authorization

vulnerability

privileges

user absences

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

19.4%

JSON

In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the absences of all users in the system including administrators. This type of user is not authorized to view this kind of information.

Affected configurations

Nvd

Node

daybydaycrmdaybyday_crmRange2.0.0–2.2.0

VendorProductVersionCPE
daybydaycrmdaybyday_crm*cpe:2.3:a:daybydaycrm:daybyday_crm:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
daybydaycrm	daybyday_crm	*	cpe:2.3:a:daybydaycrm:daybyday_crm::::::::

References

github.com/Bottelet/DaybydayCRM/commit/fe842ea5ede237443f1f45a99aeb839133115d8b

www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22108

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

19.4%

JSON

Related for NVD:CVE-2022-22108

cvelist1 cnvd1 github1 osv2 cve1 prion1