Bottelet/DaybydayCRM
GitHub
CVE History
| CVE | Published | CVSS v3 | CVSS v2 |
|---|---|---|---|
| 6.3 MEDIUM | 6.5 MEDIUM | ||
A vulnerability was detected in Bottelet DaybydayCRM up to 2.2.1. Affected is an unknown function of the component Setting Handler. Performing a manipulation results in missing authentication. Remote exploitation of the attack is possible. It is recommended to apply a patch to fix this issue. | |||
| 4.3 MEDIUM | 4 MEDIUM | ||
A security vulnerability has been detected in Bottelet DaybydayCRM up to 2.2.1. This impacts the function view of the file app/Http/Controllers/DocumentsController.php. Such manipulation leads to improper authorization. The attack may be launched remotely. It is best practice to apply a patch to resolve this issue. | |||
| 5.4 MEDIUM | 3.5 LOW | ||
In DayByDay CRM, versions 1.1 through 2.2.1 (latest) suffer from an application-wide Client-Side Template Injection (CSTI). A low privileged attacker can input template injection payloads in the application at various locations to execute JavaScript on the client browser. | |||
| 8.8 HIGH | 6.5 MEDIUM | ||
In DayByDay CRM, versions 2.2.0 through 2.2.1 (latest) are vulnerable to Insufficient Session Expiration. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed. | |||
| 5.4 MEDIUM | 3.5 LOW | ||
In Daybyday CRM, version 2.2.0 is vulnerable to Stored Cross-Site Scripting (XSS) vulnerability that allows low privileged application users to store malicious scripts in the title field of new tasks. These scripts are executed in a victim’s browser when they open the “/tasks” page to view all the tasks. | |||
| 4.3 MEDIUM | 4 MEDIUM | ||
In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the absences of all users in the system including administrators. This type of user is not authorized to view this kind of information. | |||
| 7.5 HIGH | 5 MEDIUM | ||
In Daybyday CRM, versions 1.1 through 2.2.0 enforce weak password requirements in the user update functionality. A user with privileges to update his password could change it to a weak password, such as those with a length of a single character. This may allow an attacker to brute-force users’ passwords with minimal to no computational effort. | |||
| 8.8 HIGH | 6.5 MEDIUM | ||
In DayByDay CRM, version 2.2.0 is vulnerable to missing authorization. Any application user in the application who has update user permission enabled is able to change the password of other users, including the administrator’s. This allows the attacker to gain access to the highest privileged user in the application. | |||
| 4.3 MEDIUM | 4 MEDIUM | ||
In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the appointments of all users in the system including administrators. However, this type of user is not authorized to view the calendar at all. | |||
| 5.4 MEDIUM | 3.5 LOW | ||
Daybyday 2.1.0 allows stored XSS via the Company Name parameter to the New Client screen. | |||
| 5.4 MEDIUM | 3.5 LOW | ||
Daybyday 2.1.0 allows stored XSS via the Title parameter to the New Project screen. | |||
| 5.4 MEDIUM | 3.5 LOW | ||
Daybyday 2.1.0 allows stored XSS via the Name parameter to the New User screen. | |||
| 5.4 MEDIUM | 3.5 LOW | ||
Daybyday 2.1.0 allows stored XSS via the Title parameter to the New Lead screen. | |||