| Titel | Bottelet DaybydayCRM <= 2.2.1 Insecure Direct Object Reference (IDOR) / Improper Authorization |
|---|
| Beschreibung | A critical vulnerability was found in Bottelet DaybydayCRM up to version 2.2.1. The issue affects the view and download methods in the app/Http/Controllers/DocumentsController.php file. Due to a lack of ownership and proper authorization checks, any authenticated user can view and download arbitrary documents by simply supplying an external_id (Insecure Direct Object Reference).
Issue: https://github.com/Bottelet/DaybydayCRM/issues/347
Fix Pull Request: https://github.com/Bottelet/DaybydayCRM/pull/362 |
|---|
| Quelle | ⚠️ https://github.com/Bottelet/DaybydayCRM/issues/347 |
|---|
| Benutzer | Mitchell45 (UID 98149) |
|---|
| Einreichung | 11.05.2026 11:40 (vor 24 Tagen) |
|---|
| Moderieren | 31.05.2026 18:26 (20 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 367575 [Bottelet DaybydayCRM bis 2.2.1 DocumentsController.php view erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|