DayByDay CRM - Application-Wide Client-Side Template Injection (CSTI)
CVE-2022-22112

5.4MEDIUM

Key Information:

Vendor: Bottelet
Status: Daybydaycrm
Vendor: CVE Published:; 13 January 2022

What is CVE-2022-22112?

In DayByDay CRM, versions 1.1 through 2.2.1 (latest) suffer from an application-wide Client-Side Template Injection (CSTI). A low privileged attacker can input template injection payloads in the application at various locations to execute JavaScript on the client browser.

Affected Version(s)

DaybydayCRM 1.1

References

https://github.com/Bottelet/DaybydayCRM/blob/2.2.1/resour...

x_refsource_MISC

https://www.whitesourcesoftware.com/vulnerability-databas...

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 13, 2022
Vulnerability Reserved
Dec 21, 2021

Credit

WhiteSource Vulnerability Research Team (WVR)

CVE-2022-22112 Data

JSON