CVE-2022-22107

Source
https://cve.org/CVERecord?id=CVE-2022-22107
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-22107.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-22107
Aliases
Published
2022-01-05T15:05:16Z
Modified
2026-07-08T06:00:20.037051845Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
DayByDay CRM - Missing Authorization when Viewing Appointments
Details

In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the appointments of all users in the system including administrators. However, this type of user is not authorized to view the calendar at all.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/22xxx/CVE-2022-22107.json",
    "cna_assigner": "Mend",
    "cwe_ids": [
        "CWE-862"
    ]
}
References

Affected packages

Git / github.com/bottelet/daybydaycrm

Affected ranges

Type
GIT
Repo
https://github.com/bottelet/daybydaycrm
Events
Database specific
{
    "cpe": "cpe:2.3:a:daybydaycrm:daybyday_crm:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "2.0.0"
        },
        {
            "last_affected": "2.2.0"
        }
    ],
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

2.*
2.0.0
2.1.0
2.2.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-22107.json"