CVE-2022-22110

{"id": "CVE-2022-22110", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "vulnerabilitylab@mend.io", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2022-01-05T15:15:07.923", "references": [{"url": "https://github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69b6bd661b", "tags": ["Patch", "Third Party Advisory"], "source": "vulnerabilitylab@mend.io"}, {"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22110", "tags": ["Third Party Advisory"], "source": "vulnerabilitylab@mend.io"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-521"}]}, {"type": "Secondary", "source": "vulnerabilitylab@mend.io", "description": [{"lang": "en", "value": "CWE-521"}]}], "descriptions": [{"lang": "en", "value": "In Daybyday CRM, versions 1.1 through 2.2.0 enforce weak password requirements in the user update functionality. A user with privileges to update his password could change it to a weak password, such as those with a length of a single character. This may allow an attacker to brute-force users\u2019 passwords with minimal to no computational effort."}, {"lang": "es", "value": "En Daybyday CRM, versiones 1.1 a 2.2.0, imponen requisitos de contrase\u00f1a d\u00e9biles en la funcionalidad user update. Un usuario con privilegios para actualizar su contrase\u00f1a podr\u00eda cambiarla por una contrase\u00f1a d\u00e9bil, como las que presentan una longitud de un solo car\u00e1cter. Esto podr\u00eda permitir a un atacante forzar las contrase\u00f1as de los usuarios con un esfuerzo computacional m\u00ednimo o nulo."}], "lastModified": "2022-01-21T14:24:35.657", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:daybydaycrm:daybyday_crm:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7C4701D6-2257-487B-8037-51B4B3AA90B5", "versionEndIncluding": "2.2.0", "versionStartIncluding": "1.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "vulnerabilitylab@mend.io"}