| Title | Bottelet DaybydayCRM <= 2.2.1 Insecure Direct Object Reference (IDOR) / Improper Authorization |
|---|
| Description | A critical vulnerability was found in Bottelet DaybydayCRM up to version 2.2.1. The issue affects the view and download methods in the app/Http/Controllers/DocumentsController.php file. Due to a lack of ownership and proper authorization checks, any authenticated user can view and download arbitrary documents by simply supplying an external_id (Insecure Direct Object Reference).
Issue: https://github.com/Bottelet/DaybydayCRM/issues/347
Fix Pull Request: https://github.com/Bottelet/DaybydayCRM/pull/362 |
|---|
| Source | ⚠️ https://github.com/Bottelet/DaybydayCRM/issues/347 |
|---|
| User | Mitchell45 (UID 98149) |
|---|
| Submission | 05/11/2026 11:40 (2 months ago) |
|---|
| Moderation | 05/31/2026 18:26 (20 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 367575 [Bottelet DaybydayCRM up to 2.2.1 DocumentsController.php view improper authorization] |
|---|
| Points | 20 |
|---|