| タイトル | Bottelet DaybydayCRM <= 2.2.1 Insecure Direct Object Reference (IDOR) / Improper Authorization |
|---|
| 説明 | A critical vulnerability was found in Bottelet DaybydayCRM up to version 2.2.1. The issue affects the view and download methods in the app/Http/Controllers/DocumentsController.php file. Due to a lack of ownership and proper authorization checks, any authenticated user can view and download arbitrary documents by simply supplying an external_id (Insecure Direct Object Reference).
Issue: https://github.com/Bottelet/DaybydayCRM/issues/347
Fix Pull Request: https://github.com/Bottelet/DaybydayCRM/pull/362 |
|---|
| ソース | ⚠️ https://github.com/Bottelet/DaybydayCRM/issues/347 |
|---|
| ユーザー | Mitchell45 (UID 98149) |
|---|
| 送信 | 2026年05月11日 11:40 (26 日 ago) |
|---|
| モデレーション | 2026年05月31日 18:26 (20 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 367575 [Bottelet DaybydayCRM 迄 2.2.1 DocumentsController.php view 特権昇格] |
|---|
| ポイント | 20 |
|---|