CVE-2022-22107

Missing Authorization in packagist/bottelet/flarepoint

Identifiers

GHSA-44gv-fgcj-w546, CVE-2022-22107

Package Slug

packagist/bottelet/flarepoint

Vulnerability

Missing Authorization

Description

In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the appointments of all users in the system including administrators. However, this type of user is not authorized to view the calendar at all.

Affected Versions

All versions starting from 2.0.0 before 2.2.1

Solution

Upgrade to version 2.2.1 or above.

Last Modified

2022-01-11

source