We found results for “


Date: January 13, 2022


In DayByDay CRM, versions 2.2.0 through 2.2.1 (latest) are vulnerable to Insufficient Session Expiration. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed.


The “DayByDay” application is built on Laravel framework. It improperly terminates the session when a password has been changed. An already logged in user can still access the application even after password change. There is no session validation for an active session after the password change.

PoC Details

For demonstration purposes we will use two users:
Bob, a low privileged user.
Administrator, a highly privileged user.
Login to the application as Bob.
In another browser, login as Administrator and observe that Bob is online.
Now edit the user Bob from the “all users” page under the “users” section in the left panel.
Change the password of Bob.
Now in the first browser session, open the already logged in Bob account and press on “Create an Offer” under the Leads section, to check whether the user can still access the application after password change.
Proceed and create an offer with the necessary details needed to complete the form.
The data has been updated successfully, thus the session is still active even after the password was changed.

Affected Environments

bottelet/flarepoint - 2.2.0 through 2.2.1 (latest)


The current session should be destroyed whenever a user requests for a password change.


No fix was provided

Language: PHP

Good to know:


Insufficient Session Expiration


Upgrade Version

No fix version available

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (AU): Single
Confidentiality (C): Partial
Integrity (I): Partial
Availability (A): Partial
Additional information: