PT-2022-15248 · Unknown · Daybyday Crm

Published

2022-01-05

Updated

2022-01-08

CVE-2022-22111

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions DayByDay CRM version 2.2.0

Description The issue is related to missing authorization in the application. Any user with update user permission enabled can change the password of other users, including the administrator's, allowing an attacker to gain access to the highest privileged user.

Recommendations For DayByDay CRM version 2.2.0, consider disabling the update user permission for all non-administrator users until a patch is available to prevent unauthorized password changes. Restrict access to user account management features to minimize the risk of exploitation.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2022-22111

GHSA-W6RP-4VJ7-V2M8

Affected Products

Daybyday Crm

PT-2022-15248 · Unknown · Daybyday Crm

CVE-2022-22111

Weakness Enumeration

Related Identifiers

Affected Products

References · 7