Moderate severityNVD Advisory· Published Jan 5, 2022· Updated Aug 3, 2024
DayByDay CRM - Stored Cross-Site Scripting (XSS) in Task Title
CVE-2022-22109
Description
In Daybyday CRM, version 2.2.0 is vulnerable to Stored Cross-Site Scripting (XSS) vulnerability that allows low privileged application users to store malicious scripts in the title field of new tasks. These scripts are executed in a victim’s browser when they open the “/tasks” page to view all the tasks.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bottelet/flarepointPackagist | < 2.2.1 | 2.2.1 |
Affected products
2- Range: 2.2.0
- Range: 2.2.0
Patches
1002dc75f400cfix xss for tasks index
1 file changed · +1 −1
app/Http/Controllers/TasksController.php+1 −1 modified@@ -82,7 +82,7 @@ public function anyData() }) ->addColumn('view', function ($tasks) { return '<a href="' . route("tasks.show", $tasks->external_id) . '" class="btn btn-link">' . __('View') .'</a>' - . '<a data-toggle="modal" data-id="'. route('tasks.destroy',$tasks->external_id) . '" data-title="'. $tasks->title . '" data-target="#deletion" class="btn btn-link">' . __('Delete') .'</a>' + . '<a data-toggle="modal" data-id="'. route('tasks.destroy',$tasks->external_id) . '" data-target="#deletion" class="btn btn-link">' . __('Delete') .'</a>' ; }) ->rawColumns(['titlelink','view', 'status_id'])
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-jr37-66pj-36v7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-22109ghsaADVISORY
- github.com/Bottelet/DaybydayCRM/commit/002dc75f400cf307bd00b71a5a93f1e26e52cee2ghsax_refsource_MISCWEB
- www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22109ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.