Submit #825443: Bottelet DaybydayCRM <= 2.2.1 Mass Assignment (CWE-915)info

TitleBottelet DaybydayCRM <= 2.2.1 Mass Assignment (CWE-915)
DescriptionA mass assignment vulnerability was found in Bottelet DaybydayCRM up to version 2.2.1. It has been rated as medium severity. The issue affects status update endpoints within TasksController, ProjectsController, and LeadsController. Due to the improper use of fill($request->all()) without filtering allowable input, an authenticated user can overwrite sensitive fields such as the title, description, or assigned user during a status update. The vulnerability was patched in Pull Request #363 by explicitly filtering inputs using the only() method.
Source⚠️ https://github.com/Bottelet/DaybydayCRM/issues/348
User
 Mitchell_45 (UID 98150)
Submission05/11/2026 12:06 (2 months ago)
Moderation05/31/2026 18:26 (20 days later)
StatusDuplicate
VulDB entry367576 [Bottelet DaybydayCRM up to 2.2.1 Setting missing authentication]
Points0

Do you need the next level of professionalism?

Upgrade your account now!