CVE-2022-22110 (GCVE-0-2022-22110)

Vulnerability from cvelistv5 – Published: 2022-01-05 15:05 – Updated: 2024-08-03 03:00
VLAI?
Title
DayByDay CRM - Weak Password Requirements in Update User
Summary
In Daybyday CRM, versions 1.1 through 2.2.0 enforce weak password requirements in the user update functionality. A user with privileges to update his password could change it to a weak password, such as those with a length of a single character. This may allow an attacker to brute-force users’ passwords with minimal to no computational effort.
Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE
  • CWE-521 - Weak Password Requirements
Assigner
References
Impacted products
Vendor Product Version
Bottelet DaybydayCRM Affected: unspecified , ≤ 2.2.0 (custom)
Affected: 1.1 , < unspecified (custom)
Create a notification for this product.
    Bottelet flarepoint Affected: unspecified , ≤ 2.2.0 (custom)
Affected: 1.1 , < unspecified (custom)
Create a notification for this product.
Credits
WhiteSource Vulnerability Research Team (WVR)
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:00:55.381Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69b6bd661b"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22110"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "DaybydayCRM",
          "vendor": "Bottelet",
          "versions": [
            {
              "lessThanOrEqual": "2.2.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "1.1",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "flarepoint",
          "vendor": "Bottelet",
          "versions": [
            {
              "lessThanOrEqual": "2.2.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "1.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "WhiteSource Vulnerability Research Team (WVR)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Daybyday CRM, versions 1.1 through 2.2.0 enforce weak password requirements in the user update functionality. A user with privileges to update his password could change it to a weak password, such as those with a length of a single character. This may allow an attacker to brute-force users\u2019 passwords with minimal to no computational effort."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-521",
              "description": "CWE-521 Weak Password Requirements",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-01-05T15:05:21.000Z",
        "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
        "shortName": "Mend"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69b6bd661b"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22110"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Update to 2.2.1"
        }
      ],
      "source": {
        "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
        "discovery": "UNKNOWN"
      },
      "title": "DayByDay CRM - Weak Password Requirements in Update User",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
          "ID": "CVE-2022-22110",
          "STATE": "PUBLIC",
          "TITLE": "DayByDay CRM - Weak Password Requirements in Update User"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "DaybydayCRM",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "2.2.0"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "1.1"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "flarepoint",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "2.2.0"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "1.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Bottelet"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "WhiteSource Vulnerability Research Team (WVR)"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Daybyday CRM, versions 1.1 through 2.2.0 enforce weak password requirements in the user update functionality. A user with privileges to update his password could change it to a weak password, such as those with a length of a single character. This may allow an attacker to brute-force users\u2019 passwords with minimal to no computational effort."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-521 Weak Password Requirements"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69b6bd661b",
              "refsource": "MISC",
              "url": "https://github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69b6bd661b"
            },
            {
              "name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22110",
              "refsource": "MISC",
              "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22110"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Update to 2.2.1"
          }
        ],
        "source": {
          "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
    "assignerShortName": "Mend",
    "cveId": "CVE-2022-22110",
    "datePublished": "2022-01-05T15:05:21.000Z",
    "dateReserved": "2021-12-21T00:00:00.000Z",
    "dateUpdated": "2024-08-03T03:00:55.381Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2022-22110",
      "date": "2026-05-04",
      "epss": "0.0028",
      "percentile": "0.51268"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:daybydaycrm:daybyday_crm:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.1.0\", \"versionEndIncluding\": \"2.2.0\", \"matchCriteriaId\": \"7C4701D6-2257-487B-8037-51B4B3AA90B5\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In Daybyday CRM, versions 1.1 through 2.2.0 enforce weak password requirements in the user update functionality. A user with privileges to update his password could change it to a weak password, such as those with a length of a single character. This may allow an attacker to brute-force users\\u2019 passwords with minimal to no computational effort.\"}, {\"lang\": \"es\", \"value\": \"En Daybyday CRM, versiones 1.1 a 2.2.0, imponen requisitos de contrase\\u00f1a d\\u00e9biles en la funcionalidad user update. Un usuario con privilegios para actualizar su contrase\\u00f1a podr\\u00eda cambiarla por una contrase\\u00f1a d\\u00e9bil, como las que presentan una longitud de un solo car\\u00e1cter. Esto podr\\u00eda permitir a un atacante forzar las contrase\\u00f1as de los usuarios con un esfuerzo computacional m\\u00ednimo o nulo.\"}]",
      "id": "CVE-2022-22110",
      "lastModified": "2024-11-21T06:46:12.150",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"vulnerabilitylab@mend.io\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2022-01-05T15:15:07.923",
      "references": "[{\"url\": \"https://github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69b6bd661b\", \"source\": \"vulnerabilitylab@mend.io\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22110\", \"source\": \"vulnerabilitylab@mend.io\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69b6bd661b\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22110\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "vulnerabilitylab@mend.io",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"vulnerabilitylab@mend.io\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-521\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-521\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-22110\",\"sourceIdentifier\":\"vulnerabilitylab@mend.io\",\"published\":\"2022-01-05T15:15:07.923\",\"lastModified\":\"2024-11-21T06:46:12.150\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In Daybyday CRM, versions 1.1 through 2.2.0 enforce weak password requirements in the user update functionality. A user with privileges to update his password could change it to a weak password, such as those with a length of a single character. This may allow an attacker to brute-force users\u2019 passwords with minimal to no computational effort.\"},{\"lang\":\"es\",\"value\":\"En Daybyday CRM, versiones 1.1 a 2.2.0, imponen requisitos de contrase\u00f1a d\u00e9biles en la funcionalidad user update. Un usuario con privilegios para actualizar su contrase\u00f1a podr\u00eda cambiarla por una contrase\u00f1a d\u00e9bil, como las que presentan una longitud de un solo car\u00e1cter. Esto podr\u00eda permitir a un atacante forzar las contrase\u00f1as de los usuarios con un esfuerzo computacional m\u00ednimo o nulo.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"vulnerabilitylab@mend.io\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"vulnerabilitylab@mend.io\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-521\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-521\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:daybydaycrm:daybyday_crm:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.1.0\",\"versionEndIncluding\":\"2.2.0\",\"matchCriteriaId\":\"7C4701D6-2257-487B-8037-51B4B3AA90B5\"}]}]}],\"references\":[{\"url\":\"https://github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69b6bd661b\",\"source\":\"vulnerabilitylab@mend.io\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22110\",\"source\":\"vulnerabilitylab@mend.io\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69b6bd661b\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22110\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.