CVE-2020-7378

Exploit

EPSS 8.69%
Veröffentlicht 24.11.2020 17:15:11
Zuletzt bearbeitet 21.11.2024 05:37:08
Quelle cve@rapid7.com
CVE-Watchlists
Login
Unerledigt
Login

CRIXP OpenCRX version 4.30 and 5.0-20200717 and prior suffers from an unverified password change vulnerability. An attacker who is able to connect to the affected OpenCRX instance can change the password of any user, including admin-Standard, to any chosen value. This issue was resolved in version 5.0-20200904, released September 4, 2020.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Opencrx ≫ Opencrx Version <= 4.3.0

Opencrx ≫ Opencrx Version5.0 Update20200714

Opencrx ≫ Opencrx Version5.0 Update20200715

Opencrx ≫ Opencrx Version5.0 Update20200717

Opencrx ≫ Opencrx Version5.0.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	8.69%	0.916

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvd@nist.gov	6.4	10	4.9	AV:N/AC:L/Au:N/C:P/I:P/A:N
cve@rapid7.com	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

CWE-620 Unverified Password Change

When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.

https://blog.rapid7.com/2020/11/24/cve-2020-7378-opencrx-unverified-password-change/

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2020-7378

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-7378

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-7378

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2020-7378