CVE-2022-22108 – bottelet/flarepoint

Package

Manager: composer
Name: bottelet/flarepoint
Vulnerable Version: >=2.0.0 <2.2.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00151 pctl0.36293

Details

Missing Authorization in DayByDay CRM In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the absences of all users in the system including administrators. This type of user is not authorized to view this kind of information.

Metadata

Created: 2022-01-08T00:31:52Z
Modified: 2022-01-07T20:43:46Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-frxp-xxx8-hrg6/GHSA-frxp-xxx8-hrg6.json
CWE IDs: ["CWE-862"]
Alternative ID: GHSA-frxp-xxx8-hrg6
Finding: F039
Auto approve: 1