Daybydaycrm
Monthly
Missing admin-only middleware on DaybydayCRM's SettingsController (`updateOverall` and `updateFirstStep` methods) allows any authenticated low-privilege user to modify critical company-wide configurations - including currency, VAT rates, invoice numbering, and business hours - in versions up to 2.2.1. The PR diff confirms the vulnerability is part of a systemic authorization failure across multiple controllers: authenticated users could also delete any resource (clients, tasks, leads, projects) and exploit mass assignment flaws in status update endpoints. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though an upstream patch PR has been submitted.
Missing admin-only middleware on DaybydayCRM's SettingsController (`updateOverall` and `updateFirstStep` methods) allows any authenticated low-privilege user to modify critical company-wide configurations - including currency, VAT rates, invoice numbering, and business hours - in versions up to 2.2.1. The PR diff confirms the vulnerability is part of a systemic authorization failure across multiple controllers: authenticated users could also delete any resource (clients, tasks, leads, projects) and exploit mass assignment flaws in status update endpoints. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though an upstream patch PR has been submitted.