Packagist (Composer) package
bottelet/flarepoint
pkg:composer/bottelet/flarepoint
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-22111 | Hig | 8.8 | < 2.2.1 | 2.2.1 | Jan 5, 2022 | In DayByDay CRM, version 2.2.0 is vulnerable to missing authorization. Any application user in the application who has update user permission enabled is able to change the password of other users, including the administrator’s. This allows the attacker to gain access to the highe | |
| CVE-2022-22110 | Hig | 7.5 | >= 1.1, < 2.2.1 | 2.2.1 | Jan 5, 2022 | In Daybyday CRM, versions 1.1 through 2.2.0 enforce weak password requirements in the user update functionality. A user with privileges to update his password could change it to a weak password, such as those with a length of a single character. This may allow an attacker to brut | |
| CVE-2022-22109 | Med | 5.4 | < 2.2.1 | 2.2.1 | Jan 5, 2022 | In Daybyday CRM, version 2.2.0 is vulnerable to Stored Cross-Site Scripting (XSS) vulnerability that allows low privileged application users to store malicious scripts in the title field of new tasks. These scripts are executed in a victim’s browser when they open the “/tasks” pa | |
| CVE-2022-22108 | Med | 4.3 | >= 2.0.0, < 2.2.1 | 2.2.1 | Jan 5, 2022 | In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the absences of all users in the system including administrators. This type of user is not authorized to view t | |
| CVE-2022-22107 | Med | 4.3 | >= 2.0.0, < 2.2.1 | 2.2.1 | Jan 5, 2022 | In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the appointments of all users in the system including administrators. However, this type of user is not authori |
- affected < 2.2.1fixed 2.2.1
In DayByDay CRM, version 2.2.0 is vulnerable to missing authorization. Any application user in the application who has update user permission enabled is able to change the password of other users, including the administrator’s. This allows the attacker to gain access to the highe
- affected >= 1.1, < 2.2.1fixed 2.2.1
In Daybyday CRM, versions 1.1 through 2.2.0 enforce weak password requirements in the user update functionality. A user with privileges to update his password could change it to a weak password, such as those with a length of a single character. This may allow an attacker to brut
- affected < 2.2.1fixed 2.2.1
In Daybyday CRM, version 2.2.0 is vulnerable to Stored Cross-Site Scripting (XSS) vulnerability that allows low privileged application users to store malicious scripts in the title field of new tasks. These scripts are executed in a victim’s browser when they open the “/tasks” pa
- affected >= 2.0.0, < 2.2.1fixed 2.2.1
In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the absences of all users in the system including administrators. This type of user is not authorized to view t
- affected >= 2.0.0, < 2.2.1fixed 2.2.1
In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the appointments of all users in the system including administrators. However, this type of user is not authori