CVE-2022-22107

Name of the Vulnerable Software and Affected Versions Daybyday CRM versions 2.0.0 through 2.2.0

Description The issue allows an attacker with the lowest privileges account, specifically an employee type user, to view the appointments of all users in the system, including administrators. This is a problem because such a user is not authorized to view the calendar at all.

Recommendations For Daybyday CRM versions 2.0.0 through 2.2.0, consider restricting access to the calendar feature for employee type users until a patch is available. As a temporary workaround, limit the privileges of employee type users to prevent them from viewing appointments of other users, including administrators. At the moment, there is no information about a newer version that contains a fix for this vulnerability.