Submit #825439: Bottelet DaybydayCRM <= 2.2.1 Insecure Direct Object Reference (IDOR) / Improper Authorizationinfo

TitleBottelet DaybydayCRM <= 2.2.1 Insecure Direct Object Reference (IDOR) / Improper Authorization
DescriptionA critical vulnerability was found in Bottelet DaybydayCRM up to version 2.2.1. The issue affects the view and download methods in the app/Http/Controllers/DocumentsController.php file. Due to a lack of ownership and proper authorization checks, any authenticated user can view and download arbitrary documents by simply supplying an external_id (Insecure Direct Object Reference). Issue: https://github.com/Bottelet/DaybydayCRM/issues/347 Fix Pull Request: https://github.com/Bottelet/DaybydayCRM/pull/362
Source⚠️ https://github.com/Bottelet/DaybydayCRM/issues/347
User
 Mitchell45 (UID 98149)
Submission05/11/2026 11:40 (2 months ago)
Moderation05/31/2026 18:26 (20 days later)
StatusAccepted
VulDB entry367575 [Bottelet DaybydayCRM up to 2.2.1 DocumentsController.php view improper authorization]
Points20

Might our Artificial Intelligence support you?

Check our Alexa App!