DayByDay CRM - Stored Cross-Site Scripting (XSS) in Task Title
CVE-2022-22109

5.4MEDIUM

Key Information:

Vendor: Bottelet
Status: Daybydaycrm; Flarepoint
Vendor: CVE Published:; 5 January 2022

What is CVE-2022-22109?

In Daybyday CRM, version 2.2.0 is vulnerable to Stored Cross-Site Scripting (XSS) vulnerability that allows low privileged application users to store malicious scripts in the title field of new tasks. These scripts are executed in a victim’s browser when they open the “/tasks” page to view all the tasks.

Affected Version(s)

DaybydayCRM 2.2.0

flarepoint 2.2.0

References

https://github.com/Bottelet/DaybydayCRM/commit/002dc75f40...

x_refsource_MISC

https://www.whitesourcesoftware.com/vulnerability-databas...

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 5, 2022
Vulnerability Reserved
Dec 21, 2021

Credit

WhiteSource Vulnerability Research Team (WVR)

CVE-2022-22109 Data

JSON