Submit #825440: Bottelet DaybydayCRM <= 2.2.1 Improper Authorizationinfo

TitleBottelet DaybydayCRM <= 2.2.1 Improper Authorization
DescriptionA vulnerability was found in Bottelet DaybydayCRM up to version 2.2.1. It has been rated as medium to high severity. The issue affects the updateAssign methods in multiple controllers, specifically TasksController, ProjectsController, and LeadsController. These methods lack the required permission checks (e.g., can() checks), which allows unauthorized authenticated users to inappropriately modify resource assignments across the application. The vulnerability was patched in Pull Request #362 by enforcing proper assignment permission checks matching their respective sibling updateStatus methods.
Source⚠️ https://github.com/Bottelet/DaybydayCRM/issues/347
User
 Mitchell45 (UID 98149)
Submission05/11/2026 11:42 (2 months ago)
Moderation05/31/2026 18:26 (20 days later)
StatusDuplicate
VulDB entry367575 [Bottelet DaybydayCRM up to 2.2.1 DocumentsController.php view improper authorization]
Points0

Do you want to use VulDB in your project?

Use the official API to access entries easily!