CVE-2022-22108

Name of the Vulnerable Software and Affected Versions Daybyday CRM versions 2.0.0 through 2.2.0

Description The issue allows an attacker with the lowest privileges account, specifically an employee type user, to view the absences of all users in the system, including administrators. This type of user is not authorized to view this kind of information.

Recommendations For Daybyday CRM versions 2.0.0 through 2.2.0, consider restricting access to absence viewing features to minimize the risk of exploitation until a patch is available. As a temporary workaround, limit the privileges of employee type users to prevent them from accessing sensitive information.