Moderate severityNVD Advisory· Published Jan 5, 2022· Updated Aug 3, 2024
DayByDay CRM - Missing Authorization when Viewing Appointments
CVE-2022-22107
Description
In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the appointments of all users in the system including administrators. However, this type of user is not authorized to view the calendar at all.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bottelet/flarepointPackagist | >= 2.0.0, < 2.2.1 | 2.2.1 |
Affected products
2- Range: 2.0.0
- Range: 2.0.0
Patches
1a0392f4a4a14password change requires 6 on update, and only allowed users can see calendar
3 files changed · +9 −6
app/Http/Controllers/AppointmentsController.php+5 −2 modified@@ -15,6 +15,10 @@ class AppointmentsController extends Controller { public function calendar() { + if (!auth()->user()->can("calendar-view")) { + session()->flash('flash_message_warning', __('You do not have permission to view this page')); + return redirect()->back(); + } return view('appointments.calendar'); } @@ -38,7 +42,6 @@ public function update(UpdateAppointmentCalendarRequest $request, Appointment $a public function store(CreateAppointmentCalendarRequest $request) { - $client_id = null; $user = User::where('external_id', $request->user)->first(); @@ -86,7 +89,7 @@ public function store(CreateAppointmentCalendarRequest $request) public function destroy(Appointment $appointment) { - if (!auth()->user()->can("appointment-create")) { + if (!auth()->user()->can("appointment-delete")) { return response("Access denied", 403); }
app/Http/Requests/User/StoreUserRequest.php+2 −2 modified@@ -29,8 +29,8 @@ public function rules() 'address' => '', 'primary_number' => 'numeric', 'secondary_number' => 'numeric', - 'password' => 'required|min:5|confirmed', - 'password_confirmation' => 'required|min:5', + 'password' => 'required|min:6|confirmed', + 'password_confirmation' => 'required|min:6', 'image_path' => '', 'roles' => 'required', 'departments' => 'required'
app/Http/Requests/User/UpdateUserRequest.php+2 −2 modified@@ -29,8 +29,8 @@ public function rules() 'address' => '', 'primary_number' => 'numeric', 'secondary_number' => 'numeric', - 'password' => 'sometimes', - 'password_confirmation' => 'sometimes', + 'password' => 'sometimes|min:6|confirmed', + 'password_confirmation' => 'sometimes|min:6', 'image_path' => '', 'departments' => 'required' ];
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-44gv-fgcj-w546ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-22107ghsaADVISORY
- github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69b6bd661bghsax_refsource_MISCWEB
- www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22107ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.