CVE-2022-22107 – bottelet/flarepoint

Package

Manager: composer
Name: bottelet/flarepoint
Vulnerable Version: >=2.0.0 <2.2.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00151 pctl0.36293

Details

Missing Authorization in DayByDay CRM In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the appointments of all users in the system including administrators. However, this type of user is not authorized to view the calendar at all.

Metadata

Created: 2022-01-08T00:31:55Z
Modified: 2022-01-07T20:37:12Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-44gv-fgcj-w546/GHSA-44gv-fgcj-w546.json
CWE IDs: ["CWE-862"]
Alternative ID: GHSA-44gv-fgcj-w546
Finding: F039
Auto approve: 1