Mend Vulnerability Database
What is a CVE vulnerability ID? What is a WS vulnerability ID? What is an MSC vulnerability ID?New vulnerability? Tell us about it!
We found results for “”
Date: January 5, 2022
OverviewIn Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the appointments of all users in the system including administrators. However, this type of user is not authorized to view the calendar at all.
DetailsIn Daybyday CRM, an attacker that has the lowest privileges account (employee type user), can view the appointments of all users in the system including administrators. This type of user is not authorized to view the calendar at all, Yet the attacker can still access the calendar by simply adding /appointments/calendar to the url.
PoC DetailsFor demonstration purposes we'll use 2 users:
email@example.com (low privileged user)
Login with Username “firstname.lastname@example.org”. Go to appointments and create a new appointment for the administrator.
Logoff and login now with email@example.com. You will notice that he has no appointments option on the side menu as the administrator has. Add /appointments/calendar to the url and you will see the calendar of all users and their appointments including the one you’ve just created as the administrator.
Affected Environmentsbottelet/flarepoint - 2.0.0 through 2.2.0
PreventionUpdate to 2.2.1 in "bottelet/flarepoint" package, 2.2.1 in "Bottelet/DaybydayCRM" repo.
Good to know:
|Attack Vector (AV):||Network|
|Attack Complexity (AC):||Low|
|Privileges Required (PR):||Low|
|User Interaction (UI):||None|
|Access Vector (AV):||Network|
|Access Complexity (AC):||Low|