CVE-2022-22113 HIGH

CVE-2022-22113: DayByDay CRM - Insufficient Session Expiration after Password Change

Vendor Bottelet
Product DaybydayCRM
Weakness CWE-613 · Insufficient session expiration
Published January 13, 2022
Last update September 17, 2024

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

In DayByDay CRM, versions 2.2.0 through 2.2.1 (latest) are vulnerable to Insufficient Session Expiration. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed.

Key dates

02Disclosure timeline

January 13, 2022 CVE published
September 17, 2024 Record updated