| عنوان | Bottelet DaybydayCRM <= 2.2.1 Insecure Direct Object Reference (IDOR) / Improper Authorization |
|---|
| الوصف | A critical vulnerability was found in Bottelet DaybydayCRM up to version 2.2.1. The issue affects the view and download methods in the app/Http/Controllers/DocumentsController.php file. Due to a lack of ownership and proper authorization checks, any authenticated user can view and download arbitrary documents by simply supplying an external_id (Insecure Direct Object Reference).
Issue: https://github.com/Bottelet/DaybydayCRM/issues/347
Fix Pull Request: https://github.com/Bottelet/DaybydayCRM/pull/362 |
|---|
| المصدر | ⚠️ https://github.com/Bottelet/DaybydayCRM/issues/347 |
|---|
| المستخدم | Mitchell45 (UID 98149) |
|---|
| ارسال | 11/05/2026 11:40 AM (24 أيام منذ) |
|---|
| الاعتدال | 31/05/2026 06:26 PM (20 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 367575 [Bottelet DaybydayCRM حتى 2.2.1 DocumentsController.php view تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|