CVE-2022-22107: Missing Authorization

January 8, 2022

In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the appointments of all users in the system including administrators. However, this type of user is not authorized to view the calendar at all.

References

github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69b6bd661b
github.com/advisories/GHSA-44gv-fgcj-w546
nvd.nist.gov/vuln/detail/CVE-2022-22107
www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22107

Detect and mitigate CVE-2022-22107 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →