CVE-2022-22107

{"id": "CVE-2022-22107", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "vulnerabilitylab@mend.io", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2022-01-05T15:15:07.720", "references": [{"url": "https://github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69b6bd661b", "tags": ["Patch", "Third Party Advisory"], "source": "vulnerabilitylab@mend.io"}, {"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22107", "tags": ["Third Party Advisory"], "source": "vulnerabilitylab@mend.io"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-862"}]}, {"type": "Secondary", "source": "vulnerabilitylab@mend.io", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the appointments of all users in the system including administrators. However, this type of user is not authorized to view the calendar at all."}, {"lang": "es", "value": "En Daybyday CRM, versiones 2.0.0 hasta 2.2.0, son vulnerables a una falta de autorizaci\u00f3n. Un atacante que tenga la cuenta con menos privilegios (usuario de tipo empleado), puede visualizar las citas de todos los usuarios del sistema, incluidos los administradores. Sin embargo, este tipo de usuario no est\u00e1 autorizado a visualizar el calendario en absoluto."}], "lastModified": "2022-01-08T02:49:40.197", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:daybydaycrm:daybyday_crm:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "ADAFF08E-EF6E-45ED-A139-DD7DDD947C52", "versionEndIncluding": "2.2.0", "versionStartIncluding": "2.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "vulnerabilitylab@mend.io"}