High severityNVD Advisory· Published Jan 5, 2022· Updated Aug 3, 2024

DayByDay CRM - Weak Password Requirements in Update User

CVE-2022-22110

Description

In Daybyday CRM, versions 1.1 through 2.2.0 enforce weak password requirements in the user update functionality. A user with privileges to update his password could change it to a weak password, such as those with a length of a single character. This may allow an attacker to brute-force users’ passwords with minimal to no computational effort.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
bottelet/flarepointPackagist	>= 1.1, < 2.2.1	2.2.1

Affected products

Bottelet/Flarepointv5
Range: unspecified
Bottelet/Daybydaycrmv5
Range: unspecified

Patches

a0392f4a4a14

password change requires 6 on update, and only allowed users can see calendar

https://github.com/Bottelet/DaybydayCRMCasper BotteletJun 25, 2021via ghsa

commit

3 files changed · +9 −6

app/Http/Controllers/AppointmentsController.php+5 −2 modified

@@ -15,6 +15,10 @@ class AppointmentsController extends Controller
 {
     public function calendar()
     {
+        if (!auth()->user()->can("calendar-view")) {
+            session()->flash('flash_message_warning', __('You do not have permission to view this page'));
+            return redirect()->back();
+        }
         return view('appointments.calendar');
     }
 
@@ -38,7 +42,6 @@ public function update(UpdateAppointmentCalendarRequest $request, Appointment $a
 
     public function store(CreateAppointmentCalendarRequest $request)
     {
- 
         $client_id = null;
         $user = User::where('external_id', $request->user)->first();
 
@@ -86,7 +89,7 @@ public function store(CreateAppointmentCalendarRequest $request)
 
     public function destroy(Appointment $appointment)
     {
-        if (!auth()->user()->can("appointment-create")) {
+        if (!auth()->user()->can("appointment-delete")) {
             return response("Access denied", 403);
         }

app/Http/Requests/User/StoreUserRequest.php+2 −2 modified

@@ -29,8 +29,8 @@ public function rules()
             'address' => '',
             'primary_number' => 'numeric',
             'secondary_number' => 'numeric',
-            'password' => 'required|min:5|confirmed',
-            'password_confirmation' => 'required|min:5',
+            'password' => 'required|min:6|confirmed',
+            'password_confirmation' => 'required|min:6',
             'image_path' => '',
             'roles' => 'required',
             'departments' => 'required'

app/Http/Requests/User/UpdateUserRequest.php+2 −2 modified

@@ -29,8 +29,8 @@ public function rules()
             'address' => '',
             'primary_number' => 'numeric',
             'secondary_number' => 'numeric',
-            'password' => 'sometimes',
-            'password_confirmation' => 'sometimes',
+            'password' => 'sometimes|min:6|confirmed',
+            'password_confirmation' => 'sometimes|min:6',
             'image_path' => '',
             'departments' => 'required'
         ];

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-96v6-hrwg-p378ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-22110ghsaADVISORY
github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69b6bd661bghsax_refsource_MISCWEB
www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22110ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000