| Titre | Bottelet DaybydayCRM <= 2.2.1 Insecure Direct Object Reference (IDOR) / Improper Authorization |
|---|
| Description | A critical vulnerability was found in Bottelet DaybydayCRM up to version 2.2.1. The issue affects the view and download methods in the app/Http/Controllers/DocumentsController.php file. Due to a lack of ownership and proper authorization checks, any authenticated user can view and download arbitrary documents by simply supplying an external_id (Insecure Direct Object Reference).
Issue: https://github.com/Bottelet/DaybydayCRM/issues/347
Fix Pull Request: https://github.com/Bottelet/DaybydayCRM/pull/362 |
|---|
| La source | ⚠️ https://github.com/Bottelet/DaybydayCRM/issues/347 |
|---|
| Utilisateur | Mitchell45 (UID 98149) |
|---|
| Soumission | 11/05/2026 11:40 (il y a 26 jours) |
|---|
| Modérer | 31/05/2026 18:26 (20 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 367575 [Bottelet DaybydayCRM jusqu’à 2.2.1 DocumentsController.php view élévation de privilèges] |
|---|
| Points | 20 |
|---|