CVE-2022-22107
Published Jan 5, 2022
Last updated 3 years ago
Overview
- Description
- In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the appointments of all users in the system including administrators. However, this type of user is not authorized to view the calendar at all.
- Source
- vulnerabilitylab@mend.io
- NVD status
- Analyzed
Social media
- Hype score
- Not currently trending
Risk scores
CVSS 3.1
- Type
- Primary
- Base score
- 4.3
- Impact score
- 1.4
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- Severity
- MEDIUM
CVSS 2.0
- Type
- Primary
- Base score
- 4
- Impact score
- 2.9
- Exploitability score
- 8
- Vector string
- AV:N/AC:L/Au:S/C:P/I:N/A:N
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:daybydaycrm:daybyday_crm:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "ADAFF08E-EF6E-45ED-A139-DD7DDD947C52",
"versionEndIncluding": "2.2.0",
"versionStartIncluding": "2.0.0"
}
],
"operator": "OR"
}
]
}
]