GHSA-w6rp-4vj7-v2m8

Suggest an improvement
Source
https://github.com/advisories/GHSA-w6rp-4vj7-v2m8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-w6rp-4vj7-v2m8/GHSA-w6rp-4vj7-v2m8.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-w6rp-4vj7-v2m8
Aliases
Published
2022-01-08T00:31:49Z
Modified
2023-11-08T04:08:11.685224Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Missing Authorization in DayByDay CRM
Details

In DayByDay CRM, version 2.2.0 is vulnerable to missing authorization. Any application user in the application who has update user permission enabled is able to change the password of other users, including the administrator’s. This allows the attacker to gain access to the highest privileged user in the application.

References

Affected packages

Packagist / bottelet/flarepoint

Package

Name
bottelet/flarepoint
Purl
pkg:composer/bottelet/flarepoint

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.2.1

Affected versions

Other

V1

1.*

1.1
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.2
1.3
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7

2.*

2.0.0
2.1.0
2.2.0