Search criteria
9 vulnerabilities by Bottelet
CVE-2026-10283 (GCVE-0-2026-10283)
Vulnerability from cvelistv5 – Published: 2026-06-01 18:45 – Updated: 2026-06-02 12:41
VLAI
Title
Bottelet DaybydayCRM Setting missing authentication
Summary
A vulnerability was detected in Bottelet DaybydayCRM up to 2.2.1. Affected is an unknown function of the component Setting Handler. Performing a manipulation results in missing authentication. Remote exploitation of the attack is possible. It is recommended to apply a patch to fix this issue.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/367576 | vdb-entry |
| https://vuldb.com/vuln/367576/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-10283 | third-party-advisory |
| https://vuldb.com/submit/825442 | third-party-advisory |
| https://vuldb.com/submit/825443 | third-party-advisory |
| https://github.com/Bottelet/DaybydayCRM/issues/348 | issue-tracking |
| https://github.com/Bottelet/DaybydayCRM/pull/363 | issue-trackingpatch |
| https://github.com/Bottelet/DaybydayCRM/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Bottelet | DaybydayCRM |
Affected:
2.2.0
Affected: 2.2.1 cpe:2.3:a:bottelet:daybydaycrm:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10283",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T12:41:33.871573Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T12:41:42.987Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:bottelet:daybydaycrm:*:*:*:*:*:*:*:*"
],
"modules": [
"Setting Handler"
],
"product": "DaybydayCRM",
"vendor": "Bottelet",
"versions": [
{
"status": "affected",
"version": "2.2.0"
},
{
"status": "affected",
"version": "2.2.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Mitchell_45 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was detected in Bottelet DaybydayCRM up to 2.2.1. Affected is an unknown function of the component Setting Handler. Performing a manipulation results in missing authentication. Remote exploitation of the attack is possible. It is recommended to apply a patch to fix this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "Missing Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T18:45:12.856Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-367576 | Bottelet DaybydayCRM Setting missing authentication",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/367576"
},
{
"name": "VDB-367576 | CTI Indicators (IOB, IOC)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/367576/cti"
},
{
"name": "CVE-2026-10283 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-10283"
},
{
"name": "Submit #825442 | Bottelet DaybydayCRM \u003c= 2.2.1 Improper Authorization",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/825442"
},
{
"name": "Submit #825443 | Bottelet DaybydayCRM \u003c= 2.2.1 Mass Assignment (CWE-915) (Duplicate)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/825443"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/Bottelet/DaybydayCRM/issues/348"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/Bottelet/DaybydayCRM/pull/363"
},
{
"tags": [
"product"
],
"url": "https://github.com/Bottelet/DaybydayCRM/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-31T18:31:17.000Z",
"value": "VulDB entry last update"
}
],
"title": "Bottelet DaybydayCRM Setting missing authentication"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-10283",
"datePublished": "2026-06-01T18:45:12.856Z",
"dateReserved": "2026-05-31T16:25:59.369Z",
"dateUpdated": "2026-06-02T12:41:42.987Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10282 (GCVE-0-2026-10282)
Vulnerability from cvelistv5 – Published: 2026-06-01 18:30 – Updated: 2026-06-01 19:36
VLAI
Title
Bottelet DaybydayCRM DocumentsController.php view improper authorization
Summary
A security vulnerability has been detected in Bottelet DaybydayCRM up to 2.2.1. This impacts the function view of the file app/Http/Controllers/DocumentsController.php. Such manipulation leads to improper authorization. The attack may be launched remotely. It is best practice to apply a patch to resolve this issue.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/367575 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/367575/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-10282 | third-party-advisory |
| https://vuldb.com/submit/825439 | third-party-advisory |
| https://vuldb.com/submit/825440 | third-party-advisory |
| https://github.com/Bottelet/DaybydayCRM/issues/347 | issue-tracking |
| https://github.com/Bottelet/DaybydayCRM/pull/362 | issue-trackingpatch |
| https://github.com/Bottelet/DaybydayCRM/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Bottelet | DaybydayCRM |
Affected:
2.2.0
Affected: 2.2.1 cpe:2.3:a:bottelet:daybydaycrm:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10282",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T19:35:56.101906Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T19:36:10.308Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:bottelet:daybydaycrm:*:*:*:*:*:*:*:*"
],
"product": "DaybydayCRM",
"vendor": "Bottelet",
"versions": [
{
"status": "affected",
"version": "2.2.0"
},
{
"status": "affected",
"version": "2.2.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Mitchell45 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in Bottelet DaybydayCRM up to 2.2.1. This impacts the function view of the file app/Http/Controllers/DocumentsController.php. Such manipulation leads to improper authorization. The attack may be launched remotely. It is best practice to apply a patch to resolve this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:ND/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T18:30:13.342Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-367575 | Bottelet DaybydayCRM DocumentsController.php view improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/367575"
},
{
"name": "VDB-367575 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/367575/cti"
},
{
"name": "CVE-2026-10282 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-10282"
},
{
"name": "Submit #825439 | Bottelet DaybydayCRM \u003c= 2.2.1 Insecure Direct Object Reference (IDOR) / Improper Authorization",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/825439"
},
{
"name": "Submit #825440 | Bottelet DaybydayCRM \u003c= 2.2.1 Improper Authorization (Duplicate)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/825440"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/Bottelet/DaybydayCRM/issues/347"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/Bottelet/DaybydayCRM/pull/362"
},
{
"tags": [
"product"
],
"url": "https://github.com/Bottelet/DaybydayCRM/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-31T18:31:04.000Z",
"value": "VulDB entry last update"
}
],
"title": "Bottelet DaybydayCRM DocumentsController.php view improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-10282",
"datePublished": "2026-06-01T18:30:13.342Z",
"dateReserved": "2026-05-31T16:25:56.939Z",
"dateUpdated": "2026-06-01T19:36:10.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-22113 (GCVE-0-2022-22113)
Vulnerability from cvelistv5 – Published: 2022-01-13 08:35 – Updated: 2024-09-17 02:31
VLAI
Title
DayByDay CRM - Insufficient Session Expiration after Password Change
Summary
In DayByDay CRM, versions 2.2.0 through 2.2.1 (latest) are vulnerable to Insufficient Session Expiration. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed.
Severity
8.8 (High)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Bottelet/DaybydayCRM/blob/mast… | x_refsource_MISC |
| https://www.whitesourcesoftware.com/vulnerability… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Bottelet | DaybydayCRM |
Affected:
2.2.0 , < unspecified
(custom)
|
Date Public
2022-01-07 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:00:55.230Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Bottelet/DaybydayCRM/blob/master/config/session.php#L32"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22113"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "DaybydayCRM",
"vendor": "Bottelet",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2.2.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "WhiteSource Vulnerability Research Team (WVR)"
}
],
"datePublic": "2022-01-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In DayByDay CRM, versions 2.2.0 through 2.2.1 (latest) are vulnerable to Insufficient Session Expiration. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-13T08:35:13.000Z",
"orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"shortName": "Mend"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Bottelet/DaybydayCRM/blob/master/config/session.php#L32"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22113"
}
],
"source": {
"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
"discovery": "UNKNOWN"
},
"title": "DayByDay CRM - Insufficient Session Expiration after Password Change",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
"DATE_PUBLIC": "2022-01-07T22:00:00.000Z",
"ID": "CVE-2022-22113",
"STATE": "PUBLIC",
"TITLE": "DayByDay CRM - Insufficient Session Expiration after Password Change"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "DaybydayCRM",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "2.2.0"
}
]
}
}
]
},
"vendor_name": "Bottelet"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "WhiteSource Vulnerability Research Team (WVR)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In DayByDay CRM, versions 2.2.0 through 2.2.1 (latest) are vulnerable to Insufficient Session Expiration. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-613 Insufficient Session Expiration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Bottelet/DaybydayCRM/blob/master/config/session.php#L32",
"refsource": "MISC",
"url": "https://github.com/Bottelet/DaybydayCRM/blob/master/config/session.php#L32"
},
{
"name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22113",
"refsource": "MISC",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22113"
}
]
},
"source": {
"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"assignerShortName": "Mend",
"cveId": "CVE-2022-22113",
"datePublished": "2022-01-13T08:35:13.633Z",
"dateReserved": "2021-12-21T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:31:21.087Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-22112 (GCVE-0-2022-22112)
Vulnerability from cvelistv5 – Published: 2022-01-13 08:35 – Updated: 2024-09-16 23:35
VLAI
Title
DayByDay CRM - Application-Wide Client-Side Template Injection (CSTI)
Summary
In DayByDay CRM, versions 1.1 through 2.2.1 (latest) suffer from an application-wide Client-Side Template Injection (CSTI). A low privileged attacker can input template injection payloads in the application at various locations to execute JavaScript on the client browser.
Severity
5.4 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Bottelet/DaybydayCRM/blob/2.2.… | x_refsource_MISC |
| https://www.whitesourcesoftware.com/vulnerability… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Bottelet | DaybydayCRM |
Affected:
1.1 , < unspecified
(custom)
|
Date Public
2022-01-07 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:00:55.265Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Bottelet/DaybydayCRM/blob/2.2.1/resources/views/partials/clientheader.blade.php#L17"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22112"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "DaybydayCRM",
"vendor": "Bottelet",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "1.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "WhiteSource Vulnerability Research Team (WVR)"
}
],
"datePublic": "2022-01-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In DayByDay CRM, versions 1.1 through 2.2.1 (latest) suffer from an application-wide Client-Side Template Injection (CSTI). A low privileged attacker can input template injection payloads in the application at various locations to execute JavaScript on the client browser."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-13T08:35:11.000Z",
"orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"shortName": "Mend"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Bottelet/DaybydayCRM/blob/2.2.1/resources/views/partials/clientheader.blade.php#L17"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22112"
}
],
"source": {
"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
"discovery": "UNKNOWN"
},
"title": "DayByDay CRM - Application-Wide Client-Side Template Injection (CSTI)",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
"DATE_PUBLIC": "2022-01-07T22:00:00.000Z",
"ID": "CVE-2022-22112",
"STATE": "PUBLIC",
"TITLE": "DayByDay CRM - Application-Wide Client-Side Template Injection (CSTI)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "DaybydayCRM",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "1.1"
}
]
}
}
]
},
"vendor_name": "Bottelet"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "WhiteSource Vulnerability Research Team (WVR)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In DayByDay CRM, versions 1.1 through 2.2.1 (latest) suffer from an application-wide Client-Side Template Injection (CSTI). A low privileged attacker can input template injection payloads in the application at various locations to execute JavaScript on the client browser."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Bottelet/DaybydayCRM/blob/2.2.1/resources/views/partials/clientheader.blade.php#L17",
"refsource": "MISC",
"url": "https://github.com/Bottelet/DaybydayCRM/blob/2.2.1/resources/views/partials/clientheader.blade.php#L17"
},
{
"name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22112",
"refsource": "MISC",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22112"
}
]
},
"source": {
"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"assignerShortName": "Mend",
"cveId": "CVE-2022-22112",
"datePublished": "2022-01-13T08:35:12.079Z",
"dateReserved": "2021-12-21T00:00:00.000Z",
"dateUpdated": "2024-09-16T23:35:56.740Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-22111 (GCVE-0-2022-22111)
Vulnerability from cvelistv5 – Published: 2022-01-05 15:05 – Updated: 2024-08-03 03:00
VLAI
Title
DayByDay CRM - Missing Authorization when Changing Password
Summary
In DayByDay CRM, version 2.2.0 is vulnerable to missing authorization. Any application user in the application who has update user permission enabled is able to change the password of other users, including the administrator’s. This allows the attacker to gain access to the highest privileged user in the application.
Severity
8.8 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Bottelet/DaybydayCRM/commit/fe… | x_refsource_MISC |
| https://www.whitesourcesoftware.com/vulnerability… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Bottelet | DaybydayCRM |
Affected:
2.2.0
|
|
| Bottelet | flarepoint |
Affected:
2.2.0
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:00:55.383Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Bottelet/DaybydayCRM/commit/fe842ea5ede237443f1f45a99aeb839133115d8b"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22111"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "DaybydayCRM",
"vendor": "Bottelet",
"versions": [
{
"status": "affected",
"version": "2.2.0"
}
]
},
{
"product": "flarepoint",
"vendor": "Bottelet",
"versions": [
{
"status": "affected",
"version": "2.2.0"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "WhiteSource Vulnerability Research Team (WVR)"
}
],
"descriptions": [
{
"lang": "en",
"value": "In DayByDay CRM, version 2.2.0 is vulnerable to missing authorization. Any application user in the application who has update user permission enabled is able to change the password of other users, including the administrator\u2019s. This allows the attacker to gain access to the highest privileged user in the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-05T15:05:22.000Z",
"orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"shortName": "Mend"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Bottelet/DaybydayCRM/commit/fe842ea5ede237443f1f45a99aeb839133115d8b"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22111"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 2.2.1"
}
],
"source": {
"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
"discovery": "UNKNOWN"
},
"title": "DayByDay CRM - Missing Authorization when Changing Password",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
"ID": "CVE-2022-22111",
"STATE": "PUBLIC",
"TITLE": "DayByDay CRM - Missing Authorization when Changing Password"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "DaybydayCRM",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "2.2.0"
}
]
}
},
{
"product_name": "flarepoint",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "2.2.0"
}
]
}
}
]
},
"vendor_name": "Bottelet"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "WhiteSource Vulnerability Research Team (WVR)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In DayByDay CRM, version 2.2.0 is vulnerable to missing authorization. Any application user in the application who has update user permission enabled is able to change the password of other users, including the administrator\u2019s. This allows the attacker to gain access to the highest privileged user in the application."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-862 Missing Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Bottelet/DaybydayCRM/commit/fe842ea5ede237443f1f45a99aeb839133115d8b",
"refsource": "MISC",
"url": "https://github.com/Bottelet/DaybydayCRM/commit/fe842ea5ede237443f1f45a99aeb839133115d8b"
},
{
"name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22111",
"refsource": "MISC",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22111"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 2.2.1"
}
],
"source": {
"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"assignerShortName": "Mend",
"cveId": "CVE-2022-22111",
"datePublished": "2022-01-05T15:05:22.000Z",
"dateReserved": "2021-12-21T00:00:00.000Z",
"dateUpdated": "2024-08-03T03:00:55.383Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-22110 (GCVE-0-2022-22110)
Vulnerability from cvelistv5 – Published: 2022-01-05 15:05 – Updated: 2024-08-03 03:00
VLAI
Title
DayByDay CRM - Weak Password Requirements in Update User
Summary
In Daybyday CRM, versions 1.1 through 2.2.0 enforce weak password requirements in the user update functionality. A user with privileges to update his password could change it to a weak password, such as those with a length of a single character. This may allow an attacker to brute-force users’ passwords with minimal to no computational effort.
Severity
7.5 (High)
CWE
- CWE-521 - Weak Password Requirements
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Bottelet/DaybydayCRM/commit/a0… | x_refsource_MISC |
| https://www.whitesourcesoftware.com/vulnerability… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Bottelet | DaybydayCRM |
Affected:
unspecified , ≤ 2.2.0
(custom)
Affected: 1.1 , < unspecified (custom) |
|
| Bottelet | flarepoint |
Affected:
unspecified , ≤ 2.2.0
(custom)
Affected: 1.1 , < unspecified (custom) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:00:55.381Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69b6bd661b"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22110"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "DaybydayCRM",
"vendor": "Bottelet",
"versions": [
{
"lessThanOrEqual": "2.2.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "1.1",
"versionType": "custom"
}
]
},
{
"product": "flarepoint",
"vendor": "Bottelet",
"versions": [
{
"lessThanOrEqual": "2.2.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "1.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "WhiteSource Vulnerability Research Team (WVR)"
}
],
"descriptions": [
{
"lang": "en",
"value": "In Daybyday CRM, versions 1.1 through 2.2.0 enforce weak password requirements in the user update functionality. A user with privileges to update his password could change it to a weak password, such as those with a length of a single character. This may allow an attacker to brute-force users\u2019 passwords with minimal to no computational effort."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-521",
"description": "CWE-521 Weak Password Requirements",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-05T15:05:21.000Z",
"orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"shortName": "Mend"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69b6bd661b"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22110"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 2.2.1"
}
],
"source": {
"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
"discovery": "UNKNOWN"
},
"title": "DayByDay CRM - Weak Password Requirements in Update User",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
"ID": "CVE-2022-22110",
"STATE": "PUBLIC",
"TITLE": "DayByDay CRM - Weak Password Requirements in Update User"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "DaybydayCRM",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.2.0"
},
{
"version_affected": "\u003e=",
"version_value": "1.1"
}
]
}
},
{
"product_name": "flarepoint",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.2.0"
},
{
"version_affected": "\u003e=",
"version_value": "1.1"
}
]
}
}
]
},
"vendor_name": "Bottelet"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "WhiteSource Vulnerability Research Team (WVR)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Daybyday CRM, versions 1.1 through 2.2.0 enforce weak password requirements in the user update functionality. A user with privileges to update his password could change it to a weak password, such as those with a length of a single character. This may allow an attacker to brute-force users\u2019 passwords with minimal to no computational effort."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-521 Weak Password Requirements"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69b6bd661b",
"refsource": "MISC",
"url": "https://github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69b6bd661b"
},
{
"name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22110",
"refsource": "MISC",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22110"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 2.2.1"
}
],
"source": {
"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"assignerShortName": "Mend",
"cveId": "CVE-2022-22110",
"datePublished": "2022-01-05T15:05:21.000Z",
"dateReserved": "2021-12-21T00:00:00.000Z",
"dateUpdated": "2024-08-03T03:00:55.381Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-22109 (GCVE-0-2022-22109)
Vulnerability from cvelistv5 – Published: 2022-01-05 15:05 – Updated: 2024-08-03 03:00
VLAI
Title
DayByDay CRM - Stored Cross-Site Scripting (XSS) in Task Title
Summary
In Daybyday CRM, version 2.2.0 is vulnerable to Stored Cross-Site Scripting (XSS) vulnerability that allows low privileged application users to store malicious scripts in the title field of new tasks. These scripts are executed in a victim’s browser when they open the “/tasks” page to view all the tasks.
Severity
5.4 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Bottelet/DaybydayCRM/commit/00… | x_refsource_MISC |
| https://www.whitesourcesoftware.com/vulnerability… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Bottelet | DaybydayCRM |
Affected:
2.2.0
|
|
| Bottelet | flarepoint |
Affected:
2.2.0
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:00:55.224Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Bottelet/DaybydayCRM/commit/002dc75f400cf307bd00b71a5a93f1e26e52cee2"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22109"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "DaybydayCRM",
"vendor": "Bottelet",
"versions": [
{
"status": "affected",
"version": "2.2.0"
}
]
},
{
"product": "flarepoint",
"vendor": "Bottelet",
"versions": [
{
"status": "affected",
"version": "2.2.0"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "WhiteSource Vulnerability Research Team (WVR)"
}
],
"descriptions": [
{
"lang": "en",
"value": "In Daybyday CRM, version 2.2.0 is vulnerable to Stored Cross-Site Scripting (XSS) vulnerability that allows low privileged application users to store malicious scripts in the title field of new tasks. These scripts are executed in a victim\u2019s browser when they open the \u201c/tasks\u201d page to view all the tasks."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-05T15:05:20.000Z",
"orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"shortName": "Mend"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Bottelet/DaybydayCRM/commit/002dc75f400cf307bd00b71a5a93f1e26e52cee2"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22109"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 2.2.1"
}
],
"source": {
"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
"discovery": "UNKNOWN"
},
"title": "DayByDay CRM - Stored Cross-Site Scripting (XSS) in Task Title",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
"ID": "CVE-2022-22109",
"STATE": "PUBLIC",
"TITLE": "DayByDay CRM - Stored Cross-Site Scripting (XSS) in Task Title"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "DaybydayCRM",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "2.2.0"
}
]
}
},
{
"product_name": "flarepoint",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "2.2.0"
}
]
}
}
]
},
"vendor_name": "Bottelet"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "WhiteSource Vulnerability Research Team (WVR)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Daybyday CRM, version 2.2.0 is vulnerable to Stored Cross-Site Scripting (XSS) vulnerability that allows low privileged application users to store malicious scripts in the title field of new tasks. These scripts are executed in a victim\u2019s browser when they open the \u201c/tasks\u201d page to view all the tasks."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Bottelet/DaybydayCRM/commit/002dc75f400cf307bd00b71a5a93f1e26e52cee2",
"refsource": "MISC",
"url": "https://github.com/Bottelet/DaybydayCRM/commit/002dc75f400cf307bd00b71a5a93f1e26e52cee2"
},
{
"name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22109",
"refsource": "MISC",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22109"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 2.2.1"
}
],
"source": {
"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"assignerShortName": "Mend",
"cveId": "CVE-2022-22109",
"datePublished": "2022-01-05T15:05:20.000Z",
"dateReserved": "2021-12-21T00:00:00.000Z",
"dateUpdated": "2024-08-03T03:00:55.224Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-22108 (GCVE-0-2022-22108)
Vulnerability from cvelistv5 – Published: 2022-01-05 15:05 – Updated: 2024-08-03 03:00
VLAI
Title
DayByDay CRM - Missing Authorization when Viewing Absences
Summary
In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the absences of all users in the system including administrators. This type of user is not authorized to view this kind of information.
Severity
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Bottelet/DaybydayCRM/commit/fe… | x_refsource_MISC |
| https://www.whitesourcesoftware.com/vulnerability… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Bottelet | DaybydayCRM |
Affected:
2.0.0 , < unspecified
(custom)
Affected: unspecified , ≤ 2.2.0 (custom) |
|
| Bottelet | flarepoint |
Affected:
2.0.0 , < unspecified
(custom)
Affected: unspecified , ≤ 2.2.0 (custom) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:00:55.285Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Bottelet/DaybydayCRM/commit/fe842ea5ede237443f1f45a99aeb839133115d8b"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22108"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "DaybydayCRM",
"vendor": "Bottelet",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.2.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "flarepoint",
"vendor": "Bottelet",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.2.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "WhiteSource Vulnerability Research Team (WVR)"
}
],
"descriptions": [
{
"lang": "en",
"value": "In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the absences of all users in the system including administrators. This type of user is not authorized to view this kind of information."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-05T15:05:18.000Z",
"orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"shortName": "Mend"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Bottelet/DaybydayCRM/commit/fe842ea5ede237443f1f45a99aeb839133115d8b"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22108"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 2.2.1"
}
],
"source": {
"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
"discovery": "UNKNOWN"
},
"title": "DayByDay CRM - Missing Authorization when Viewing Absences",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
"ID": "CVE-2022-22108",
"STATE": "PUBLIC",
"TITLE": "DayByDay CRM - Missing Authorization when Viewing Absences"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "DaybydayCRM",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "2.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "2.2.0"
}
]
}
},
{
"product_name": "flarepoint",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "2.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "2.2.0"
}
]
}
}
]
},
"vendor_name": "Bottelet"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "WhiteSource Vulnerability Research Team (WVR)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the absences of all users in the system including administrators. This type of user is not authorized to view this kind of information."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-862 Missing Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Bottelet/DaybydayCRM/commit/fe842ea5ede237443f1f45a99aeb839133115d8b",
"refsource": "MISC",
"url": "https://github.com/Bottelet/DaybydayCRM/commit/fe842ea5ede237443f1f45a99aeb839133115d8b"
},
{
"name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22108",
"refsource": "MISC",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22108"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 2.2.1"
}
],
"source": {
"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"assignerShortName": "Mend",
"cveId": "CVE-2022-22108",
"datePublished": "2022-01-05T15:05:18.000Z",
"dateReserved": "2021-12-21T00:00:00.000Z",
"dateUpdated": "2024-08-03T03:00:55.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-22107 (GCVE-0-2022-22107)
Vulnerability from cvelistv5 – Published: 2022-01-05 15:05 – Updated: 2024-08-03 03:00
VLAI
Title
DayByDay CRM - Missing Authorization when Viewing Appointments
Summary
In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the appointments of all users in the system including administrators. However, this type of user is not authorized to view the calendar at all.
Severity
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Bottelet/DaybydayCRM/commit/a0… | x_refsource_MISC |
| https://www.whitesourcesoftware.com/vulnerability… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Bottelet | DaybydayCRM |
Affected:
2.0.0 , < unspecified
(custom)
Affected: unspecified , ≤ 2.2.0 (custom) |
|
| Bottelet | flarepoint |
Affected:
2.0.0 , < unspecified
(custom)
Affected: unspecified , ≤ 2.2.0 (custom) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:00:55.213Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69b6bd661b"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22107"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "DaybydayCRM",
"vendor": "Bottelet",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.2.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "flarepoint",
"vendor": "Bottelet",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.2.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "WhiteSource Vulnerability Research Team (WVR)"
}
],
"descriptions": [
{
"lang": "en",
"value": "In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the appointments of all users in the system including administrators. However, this type of user is not authorized to view the calendar at all."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-05T15:05:16.000Z",
"orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"shortName": "Mend"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69b6bd661b"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22107"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 2.2.1"
}
],
"source": {
"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
"discovery": "UNKNOWN"
},
"title": "DayByDay CRM - Missing Authorization when Viewing Appointments",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
"ID": "CVE-2022-22107",
"STATE": "PUBLIC",
"TITLE": "DayByDay CRM - Missing Authorization when Viewing Appointments"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "DaybydayCRM",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "2.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "2.2.0"
}
]
}
},
{
"product_name": "flarepoint",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "2.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "2.2.0"
}
]
}
}
]
},
"vendor_name": "Bottelet"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "WhiteSource Vulnerability Research Team (WVR)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the appointments of all users in the system including administrators. However, this type of user is not authorized to view the calendar at all."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-862 Missing Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69b6bd661b",
"refsource": "MISC",
"url": "https://github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69b6bd661b"
},
{
"name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22107",
"refsource": "MISC",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22107"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 2.2.1"
}
],
"source": {
"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"assignerShortName": "Mend",
"cveId": "CVE-2022-22107",
"datePublished": "2022-01-05T15:05:16.000Z",
"dateReserved": "2021-12-21T00:00:00.000Z",
"dateUpdated": "2024-08-03T03:00:55.213Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}