CVE-2022-22111 HIGH

CVE-2022-22111: DayByDay CRM - Missing Authorization when Changing Password

Vendor Bottelet
Product DaybydayCRM
Weakness CWE-862 · Missing authorization
Published January 5, 2022
Last update August 3, 2024

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

In DayByDay CRM, version 2.2.0 is vulnerable to missing authorization. Any application user in the application who has update user permission enabled is able to change the password of other users, including the administrator’s. This allows the attacker to gain access to the highest privileged user in the application.

Key dates

02Disclosure timeline

January 5, 2022 CVE published
August 3, 2024 Record updated

Related vulnerabilities

04Related CVE