From 46608e7f8dc71fedb3c425bb0a6e1e4f0880b944 Mon Sep 17 00:00:00 2001 From: hagaiwech Date: Wed, 5 Jan 2022 16:46:48 +0200 Subject: [PATCH] Add CVE-2022-22108 DayByDay CRM - Missing Authorization when Viewing Absences Committed by: Hagai Wechsler --- 2022/22xxx/CVE-2022-22108.json | 117 +++++++++++++++++++++++++++++++-- 1 file changed, 110 insertions(+), 7 deletions(-) diff --git a/2022/22xxx/CVE-2022-22108.json b/2022/22xxx/CVE-2022-22108.json index c505c351fa4..76d1a99e5d2 100644 --- a/2022/22xxx/CVE-2022-22108.json +++ b/2022/22xxx/CVE-2022-22108.json @@ -1,18 +1,121 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", "ID": "CVE-2022-22108", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "DayByDay CRM - Missing Authorization when Viewing Absences" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "DaybydayCRM", + "version": { + "version_data": [ + { + "version_affected": ">=", + "version_value": "2.0.0" + }, + { + "version_affected": "<=", + "version_value": "2.2.0" + } + ] + } + }, + { + "product_name": "flarepoint", + "version": { + "version_data": [ + { + "version_affected": ">=", + "version_value": "2.0.0" + }, + { + "version_affected": "<=", + "version_value": "2.2.0" + } + ] + } + } + ] + }, + "vendor_name": "Bottelet" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "WhiteSource Vulnerability Research Team (WVR)" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the absences of all users in the system including administrators. This type of user is not authorized to view this kind of information." } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 4.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-862 Missing Authorization" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "CONFIRM", + "url": "https://github.com/Bottelet/DaybydayCRM/commit/fe842ea5ede237443f1f45a99aeb839133115d8b" + }, + { + "refsource": "MISC", + "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22108" + } + ] + }, + "solution": [ + { + "lang": "eng", + "value": "Update to 2.2.1" + } + ], + "source": { + "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/", + "discovery": "UNKNOWN" } -} \ No newline at end of file +}