CVE-2022-22111

Overview

In DayByDay CRM, version 2.2.0 is vulnerable to missing authorization. Any application user in the application who has update user permission enabled is able to change the password of other users, including the administrator’s. This allows the attacker to gain access to the highest privileged user in the application.

Details

DayByDay CRM allows any user (including low privileged users) in an application with “Update a User” permission set to change the password of any other users (including administrators) beyond his role and department access. This allows the attacker to escalate his privileges to the highest level.

PoC Details

For demonstration purposes we'll use:
alice@alice.com, a low privileged user with an “Update a User” role.
admin@admin.com, a highest privileged administrator.
Login into the application as Admin, and verify the “update user” role is enabled to an “Employee” type under Roles & Permissions Management in settings on the left panel.
Now login as Alice, and click edit on Admin user in All users under users section in the left panel.
Change Admin’s password, and a message approving the password change will be displayed.
You now have full access to the admin’s account.

Affected Environments

bottelet/flarepoint - 2.2.0

Prevention

Update to 2.2.1 in "bottelet/flarepoint" package, 2.2.1 in "Bottelet/DaybydayCRM" repo.