CVE-2022-22110 - Vulnerability Details - OpenCVE

In Daybyday CRM, versions 1.1 through 2.2.0 enforce weak password requirements in the user update functionality. A user with privileges to update his password could change it to a weak password, such as those with a length of a single character. This may allow an attacker to brute-force users’ passwords with minimal to no computational effort.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.0028.

Key SSVC decision points have not yet been added.

Vendors	Products
Daybydaycrm	Daybyday Crm

Configuration 1 [-]

cpe:2.3:a:daybydaycrm:daybyday_crm:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-0541	In Daybyday CRM, versions 1.1 through 2.2.0 enforce weak password requirements in the user update functionality. A user with privileges to update his password could change it to a weak password, such as those with a length of a single character. This may allow an attacker to brute-force users’ passwords with minimal to no computational effort.
Github GHSA	GHSA-96v6-hrwg-p378	Weak Password Requirements in Daybyday CRM

Fixes

Solution

Update to 2.2.1

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69b6bd661b
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22110

History

No history.

MITRE

Status: PUBLISHED

Assigner: Mend

Published: 2022-01-05T15:05:21

Updated: 2024-08-03T03:00:55.381Z

Reserved: 2021-12-21T00:00:00

Link: CVE-2022-22110

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-01-05T15:15:07.923

Modified: 2024-11-21T06:46:12.150

Link: CVE-2022-22110

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "DaybydayCRM", "vendor": "Bottelet", "versions": [{"lessThanOrEqual": "2.2.0", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "1.1", "versionType": "custom"}]}, {"product": "flarepoint", "vendor": "Bottelet", "versions": [{"lessThanOrEqual": "2.2.0", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "1.1", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "WhiteSource Vulnerability Research Team (WVR)"}], "descriptions": [{"lang": "en", "value": "In Daybyday CRM, versions 1.1 through 2.2.0 enforce weak password requirements in the user update functionality. A user with privileges to update his password could change it to a weak password, such as those with a length of a single character. This may allow an attacker to brute-force users\u2019 passwords with minimal to no computational effort."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-521", "description": "CWE-521 Weak Password Requirements", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-01-05T15:05:21", "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "shortName": "Mend"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69b6bd661b"}, {"tags": ["x_refsource_MISC"], "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22110"}], "solutions": [{"lang": "en", "value": "Update to 2.2.1"}], "source": {"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/", "discovery": "UNKNOWN"}, "title": "DayByDay CRM - Weak Password Requirements in Update User", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", "ID": "CVE-2022-22110", "STATE": "PUBLIC", "TITLE": "DayByDay CRM - Weak Password Requirements in Update User"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "DaybydayCRM", "version": {"version_data": [{"version_affected": "<=", "version_value": "2.2.0"}, {"version_affected": ">=", "version_value": "1.1"}]}}, {"product_name": "flarepoint", "version": {"version_data": [{"version_affected": "<=", "version_value": "2.2.0"}, {"version_affected": ">=", "version_value": "1.1"}]}}]}, "vendor_name": "Bottelet"}]}}, "credit": [{"lang": "eng", "value": "WhiteSource Vulnerability Research Team (WVR)"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Daybyday CRM, versions 1.1 through 2.2.0 enforce weak password requirements in the user update functionality. A user with privileges to update his password could change it to a weak password, such as those with a length of a single character. This may allow an attacker to brute-force users\u2019 passwords with minimal to no computational effort."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-521 Weak Password Requirements"}]}]}, "references": {"reference_data": [{"name": "https://github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69b6bd661b", "refsource": "MISC", "url": "https://github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69b6bd661b"}, {"name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22110", "refsource": "MISC", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22110"}]}, "solution": [{"lang": "en", "value": "Update to 2.2.1"}], "source": {"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:00:55.381Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69b6bd661b"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22110"}]}]}, "cveMetadata": {"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "assignerShortName": "Mend", "cveId": "CVE-2022-22110", "datePublished": "2022-01-05T15:05:21", "dateReserved": "2021-12-21T00:00:00", "dateUpdated": "2024-08-03T03:00:55.381Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:daybydaycrm:daybyday_crm:*:*:*:*:*:*:*:*", "matchCriteriaId": "7C4701D6-2257-487B-8037-51B4B3AA90B5", "versionEndIncluding": "2.2.0", "versionStartIncluding": "1.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Daybyday CRM, versions 1.1 through 2.2.0 enforce weak password requirements in the user update functionality. A user with privileges to update his password could change it to a weak password, such as those with a length of a single character. This may allow an attacker to brute-force users\u2019 passwords with minimal to no computational effort."}, {"lang": "es", "value": "En Daybyday CRM, versiones 1.1 a 2.2.0, imponen requisitos de contrase\u00f1a d\u00e9biles en la funcionalidad user update. Un usuario con privilegios para actualizar su contrase\u00f1a podr\u00eda cambiarla por una contrase\u00f1a d\u00e9bil, como las que presentan una longitud de un solo car\u00e1cter. Esto podr\u00eda permitir a un atacante forzar las contrase\u00f1as de los usuarios con un esfuerzo computacional m\u00ednimo o nulo."}], "id": "CVE-2022-22110", "lastModified": "2024-11-21T06:46:12.150", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "vulnerabilitylab@mend.io", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-01-05T15:15:07.923", "references": [{"source": "vulnerabilitylab@mend.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69b6bd661b"}, {"source": "vulnerabilitylab@mend.io", "tags": ["Third Party Advisory"], "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22110"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69b6bd661b"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22110"}], "sourceIdentifier": "vulnerabilitylab@mend.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-521"}], "source": "vulnerabilitylab@mend.io", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-521"}], "source": "nvd@nist.gov", "type": "Primary"}]}