CVE-2022-22110: 
PHP vulnerability analysis and mitigation

CVE-2022-22110 affects Daybyday CRM versions 1.1 through 2.2.0. The vulnerability was discovered and disclosed on January 5, 2022. The issue lies in the user update functionality where weak password requirements are enforced, allowing users with password update privileges to set passwords with minimal security requirements (NVD, WhiteSource).

The vulnerability stems from a lack of password length validation in the user update functionality. When a user with 'Update a User' access attempts to modify their password, the application accepts weak passwords, including single-character passwords, without performing minimum length or strength validation. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility with low attack complexity (WhiteSource).

The vulnerability allows attackers to potentially brute-force users' passwords with minimal computational effort due to the acceptance of extremely weak passwords. This could lead to unauthorized access to user accounts and compromise of sensitive information (WhiteSource).

The vulnerability has been fixed in version 2.2.1 of the DaybydayCRM software. The fix implements proper password length validation, requiring a minimum of 6 characters for passwords during the update process (GitHub Patch).