Description
A vulnerability was detected in Bottelet DaybydayCRM up to 2.2.1. Affected is an unknown function of the component Setting Handler. Performing a manipulation results in missing authentication. Remote exploitation of the attack is possible. It is recommended to apply a patch to fix this issue.
Published: 2026-06-01
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A known vulnerability exists in Bottelet DaybydayCRM up to version 2.2.1, caused by a flaw in the Setting Handler function. By manipulating a request, an attacker can cause a missing authentication check and thereby bypass the required login process. This flaw results in an Authentication Bypass, allowing remote exploitation without valid credentials, and is classified as CWE‑287 and CWE‑306.

Affected Systems

The vulnerability affects Bottelet DaybydayCRM versions up to and including 2.2.1. Any deployment of this product that has not yet been upgraded to a fixed release is susceptible. The flaw resides in the Setting Handler component; the vendor is Bottelet.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, but the absence of an EPSS score leaves the exact exploit probability uncertain. The issue is not listed in the CISA KEV catalog, suggesting no widespread exploitation has been reported. However, remote exploitation is feasible, likely by sending a crafted request to the web interface that triggers the vulnerable function. Attackers would need network access to the application and the ability to manipulate the specific input. Given the missing authentication, there is a credible risk that an unauthorized user could gain privileged access if the vulnerability is exploited.

Generated by OpenCVE AI on June 1, 2026 at 20:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Bottelet DaybydayCRM to a patched version newer than 2.2.1.
  • If an immediate upgrade is not possible, restrict external access to the application by applying firewall rules or limiting IP ranges to trusted hosts.
  • As a temporary workaround, remove or disable the vulnerable Setting Handler functionality or configure the application to enforce authentication on all settings endpoints.

Generated by OpenCVE AI on June 1, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in Bottelet DaybydayCRM up to 2.2.1. Affected is an unknown function of the component Setting Handler. Performing a manipulation results in missing authentication. Remote exploitation of the attack is possible. It is recommended to apply a patch to fix this issue.
Title Bottelet DaybydayCRM Setting missing authentication
First Time appeared Bottelet
Bottelet daybydaycrm
Weaknesses CWE-287
CWE-306
CPEs cpe:2.3:a:bottelet:daybydaycrm:*:*:*:*:*:*:*:*
Vendors & Products Bottelet
Bottelet daybydaycrm
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Bottelet Daybydaycrm
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-01T18:45:12.856Z

Reserved: 2026-05-31T16:25:59.369Z

Link: CVE-2026-10283

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-01T19:16:21.547

Modified: 2026-06-01T19:16:21.547

Link: CVE-2026-10283

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T20:30:17Z

Weaknesses