CVE-2022-22113 – DayByDay CRM versions 2.2.0 through 2.2.1 have ... (How to Fix)

Q: What is the severity of CVE-2022-22113?

CVE-2022-22113 has a CVSS score of 8.8 (HIGH). DayByDay CRM versions 2.2.0 through 2.2.1 have an insufficient session expiration vulnerability where users remain logged in after password changes. This allows unauthorized access if credentials are compromised and then changed. All users of affected versions are impacted.

📋 TL;DR

DayByDay CRM versions 2.2.0 through 2.2.1 have an insufficient session expiration vulnerability where users remain logged in after password changes. This allows unauthorized access if credentials are compromised and then changed. All users of affected versions are impacted.

💻 Affected Systems

Products:

DayByDay CRM

Versions: 2.2.0 through 2.2.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations using default session configuration are vulnerable.

📦 What is this software?

Daybyday by Daybydaycrm

View all CVEs affecting Daybyday →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with stolen credentials maintains persistent access even after the legitimate user changes their password, leading to complete account takeover and potential data exfiltration.

🟠

Likely Case

Legitimate users who change passwords remain vulnerable to session hijacking from previous compromised sessions, allowing unauthorized access to CRM data.

🟢

If Mitigated

With proper session invalidation, password changes immediately terminate all existing sessions, preventing unauthorized access.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires initial credential compromise but is trivial once achieved.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch exists. Modify session.php to invalidate sessions on password change.

🔧 Temporary Workarounds

Manual Session Invalidation

all

Modify session configuration to invalidate sessions when passwords change

Edit config/session.php line 32 to implement session regeneration on password change

🧯 If You Can't Patch

Implement mandatory session timeouts (e.g., 15-30 minutes)
Monitor for unusual session activity and force logout suspicious sessions

🔍 How to Verify

Check if Vulnerable:

Check if config/session.php lacks session invalidation logic for password changes

Check Version:

Check DayByDay CRM version in admin panel or package.json

Verify Fix Applied:

Test that changing a password immediately logs out all existing sessions

📡 Detection & Monitoring

Log Indicators:

Multiple active sessions for same user after password change
Session IDs persisting beyond password reset

Network Indicators:

Unusual session duration patterns

SIEM Query:

session.user_id AND event_type:password_change AND NOT event_type:session_invalidation

📊 Metadata

CVE ID: CVE-2022-22113

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-613

Published: January 13, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/Bottelet/DaybydayCRM/blob/master/config/session.php#L32 Third Party Advisory
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22113 Exploit,Third Party Advisory
https://github.com/Bottelet/DaybydayCRM/blob/master/config/session.php#L32 Third Party Advisory
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22113 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-22113, you might also want to check these: