High severityNVD Advisory· Published Jan 5, 2022· Updated Aug 3, 2024

DayByDay CRM - Missing Authorization when Changing Password

CVE-2022-22111

Description

In DayByDay CRM, version 2.2.0 is vulnerable to missing authorization. Any application user in the application who has update user permission enabled is able to change the password of other users, including the administrator’s. This allows the attacker to gain access to the highest privileged user in the application.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
bottelet/flarepointPackagist	< 2.2.1	2.2.1

Affected products

Bottelet/Flarepointv5
Range: 2.2.0
Bottelet/Daybydaycrmv5
Range: 2.2.0

Patches

fe842ea5ede2

ensure only admin and owner can change role, and password, unless it is yourself

https://github.com/Bottelet/DaybydayCRMCasper BotteletJun 25, 2021via ghsa

commit

3 files changed · +31 −2

app/Http/Controllers/UsersController.php+13 −1 modified

@@ -40,6 +40,10 @@ public function index()
 
     public function calendarUsers()
     {
+        if (!auth()->user()->can('absence-view')) {
+            session()->flash('flash_message_warning', __('You do not have permission to view this page'));
+            return redirect()->back();
+        }
         return User::with(['department', 'absences' =>  function ($q) {
             return $q->whereBetween('start_at', [today()->subWeeks(2)->startOfDay(), today()->addWeeks(4)->endOfDay()])
                       ->orWhereBetween('end_at', [today()->subWeeks(2)->startOfDay(), today()->addWeeks(4)->endOfDay()]);
@@ -244,6 +248,12 @@ public function update($external_id, UpdateUserRequest $request)
         $password = bcrypt($request->password);
         $role = $request->roles;
         $department = $request->departments;
+
+        if( !auth()->user()->canChangePasswordOn($user) ) {
+            unset($request['password']);
+        }
+
+
         if ($request->hasFile('image_path')) {
             $companyname = Setting::first()->external_id;
             $file =  $request->file('image_path');
@@ -273,7 +283,9 @@ public function update($external_id, UpdateUserRequest $request)
         if ($role && $role->name == Role::OWNER_ROLE && $owners->count() <= 1) {
             Session()->flash('flash_message_warning', __('Not able to change owner role, please choose a new owner first'));
         } else {
-            $user->roles()->sync([$request->roles]);
+            if(auth()->user()->canChangeRole() ) {
+                $user->roles()->sync([$request->roles]);
+            }
         }
         $user->department()->sync([$department]);

app/Models/User.php+13 −0 modified

@@ -98,6 +98,19 @@ public function tokens()
         return $this->hasMany(Token::class, 'user_id', 'id');
     }
 
+    public function canChangePasswordOn(User $user)
+    {
+        if($this->id === $user->id || ( $this->roles->first()->name == Role::OWNER_ROLE || $this->roles->first()->name == Role::ADMIN_ROLE)) {
+            return true;
+        }
+
+        return false;
+    }
+
+    public function canChangeRole()
+    {
+        return $this->roles->first()->name == Role::OWNER_ROLE || $this->roles->first()->name == Role::ADMIN_ROLE;
+    }
 
 
     public function isOnline()

resources/views/users/form.blade.php+5 −1 modified

@@ -61,10 +61,11 @@
 <div class="col-sm-12">
     <hr>
 </div>
-
+@if(isset($user) && auth()->user()->canChangePasswordOn($user))
 <div class="col-sm-3">
     <label for="name" class="base-input-label">@lang('Security')</label>
 </div>
+
 <div class="col-sm-9">
     <div class="form-group col-sm-8">
         <label for="password" class="control-label thin-weight">@lang('Password')</label>
@@ -75,13 +76,15 @@
         <input type="password" name="password_confirmation" class="form-control" value="">
     </div>
 </div>
+@endif
 <div class="col-sm-12">
     <hr>
 </div>
 <div class="col-sm-3">
     <label for="name" class="base-input-label">@lang('Access')</label>
 </div>
 <div class="col-sm-9">
+@if(isset($user) && auth()->user()->canChangeRole())
     <div class="form-group col-sm-8">
         <label for="roles" class="control-label thin-weight">@lang('Assign role')</label>
         <select name="roles" id="" class="form-control">
@@ -90,6 +93,7 @@
         @endforeach
         </select>
     </div>
+@endif
     <div class="form-group col-sm-8">
         <label for="departments" class="control-label thin-weight">@lang('Assign department')</label>
         <select name="departments" id="" class="form-control">

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-w6rp-4vj7-v2m8ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-22111ghsaADVISORY
github.com/Bottelet/DaybydayCRM/commit/fe842ea5ede237443f1f45a99aeb839133115d8bghsax_refsource_MISCWEB
www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22111ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000