DayByDay CRM - Missing Authorization when Viewing Absences

In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the absences of all users in the system including administrators. This type of user is not authorized to view this kind of information.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

授权机制缺失

Daybyday CRM 授权问题漏洞

Bottelet Daybyday Crm是Bottelet个人开发者的一个用于任务、时间、员工、休假管理的建站系统。 Daybyday CRM 中存在授权问题漏洞，该漏洞源于产品未对查看所有用户缺席信息的权限添加有效限制。攻击者可可通过低权限的账户查看敏感信息。以下产品及版本受到影响： Daybyday CRM 2.0.0 至2.2.0 版本。

N/A

N/A