CVE-2022-22113

EUVD-2022-27262
In DayByDay CRM, versions 2.2.0 through 2.2.1 (latest) are vulnerable to Insufficient Session Expiration. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MendCNA
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 52%
Affected Products (NVD)
VendorProductVersion
daybydaycrmdaybyday
2.2.0 ≤
𝑥
≤ 2.2.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/Bottelet/DaybydayCRM/blob/master/config/session.php#L32
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22113
https://github.com/Bottelet/DaybydayCRM/blob/master/config/session.php#L32
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22113