Moderate severityNVD Advisory· Published Jan 5, 2022· Updated Aug 3, 2024

DayByDay CRM - Missing Authorization when Viewing Absences

CVE-2022-22108

Description

In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the absences of all users in the system including administrators. This type of user is not authorized to view this kind of information.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
bottelet/flarepointPackagist	>= 2.0.0, < 2.2.1	2.2.1

Affected products

Bottelet/Flarepointv5
Range: 2.0.0
Bottelet/Daybydaycrmv5
Range: 2.0.0

Patches

fe842ea5ede2

ensure only admin and owner can change role, and password, unless it is yourself

https://github.com/Bottelet/DaybydayCRMCasper BotteletJun 25, 2021via ghsa

commit

3 files changed · +31 −2

app/Http/Controllers/UsersController.php+13 −1 modified

@@ -40,6 +40,10 @@ public function index()
 
     public function calendarUsers()
     {
+        if (!auth()->user()->can('absence-view')) {
+            session()->flash('flash_message_warning', __('You do not have permission to view this page'));
+            return redirect()->back();
+        }
         return User::with(['department', 'absences' =>  function ($q) {
             return $q->whereBetween('start_at', [today()->subWeeks(2)->startOfDay(), today()->addWeeks(4)->endOfDay()])
                       ->orWhereBetween('end_at', [today()->subWeeks(2)->startOfDay(), today()->addWeeks(4)->endOfDay()]);
@@ -244,6 +248,12 @@ public function update($external_id, UpdateUserRequest $request)
         $password = bcrypt($request->password);
         $role = $request->roles;
         $department = $request->departments;
+
+        if( !auth()->user()->canChangePasswordOn($user) ) {
+            unset($request['password']);
+        }
+
+
         if ($request->hasFile('image_path')) {
             $companyname = Setting::first()->external_id;
             $file =  $request->file('image_path');
@@ -273,7 +283,9 @@ public function update($external_id, UpdateUserRequest $request)
         if ($role && $role->name == Role::OWNER_ROLE && $owners->count() <= 1) {
             Session()->flash('flash_message_warning', __('Not able to change owner role, please choose a new owner first'));
         } else {
-            $user->roles()->sync([$request->roles]);
+            if(auth()->user()->canChangeRole() ) {
+                $user->roles()->sync([$request->roles]);
+            }
         }
         $user->department()->sync([$department]);

app/Models/User.php+13 −0 modified

@@ -98,6 +98,19 @@ public function tokens()
         return $this->hasMany(Token::class, 'user_id', 'id');
     }
 
+    public function canChangePasswordOn(User $user)
+    {
+        if($this->id === $user->id || ( $this->roles->first()->name == Role::OWNER_ROLE || $this->roles->first()->name == Role::ADMIN_ROLE)) {
+            return true;
+        }
+
+        return false;
+    }
+
+    public function canChangeRole()
+    {
+        return $this->roles->first()->name == Role::OWNER_ROLE || $this->roles->first()->name == Role::ADMIN_ROLE;
+    }
 
 
     public function isOnline()

resources/views/users/form.blade.php+5 −1 modified

@@ -61,10 +61,11 @@
 <div class="col-sm-12">
     <hr>
 </div>
-
+@if(isset($user) && auth()->user()->canChangePasswordOn($user))
 <div class="col-sm-3">
     <label for="name" class="base-input-label">@lang('Security')</label>
 </div>
+
 <div class="col-sm-9">
     <div class="form-group col-sm-8">
         <label for="password" class="control-label thin-weight">@lang('Password')</label>
@@ -75,13 +76,15 @@
         <input type="password" name="password_confirmation" class="form-control" value="">
     </div>
 </div>
+@endif
 <div class="col-sm-12">
     <hr>
 </div>
 <div class="col-sm-3">
     <label for="name" class="base-input-label">@lang('Access')</label>
 </div>
 <div class="col-sm-9">
+@if(isset($user) && auth()->user()->canChangeRole())
     <div class="form-group col-sm-8">
         <label for="roles" class="control-label thin-weight">@lang('Assign role')</label>
         <select name="roles" id="" class="form-control">
@@ -90,6 +93,7 @@
         @endforeach
         </select>
     </div>
+@endif
     <div class="form-group col-sm-8">
         <label for="departments" class="control-label thin-weight">@lang('Assign department')</label>
         <select name="departments" id="" class="form-control">

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-frxp-xxx8-hrg6ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-22108ghsaADVISORY
github.com/Bottelet/DaybydayCRM/commit/fe842ea5ede237443f1f45a99aeb839133115d8bghsax_refsource_MISCWEB
www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22108ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000