Search criteria
2 vulnerabilities found for OpenCRX by CRIXP
CVE-2020-7378 (GCVE-0-2020-7378)
Vulnerability from cvelistv5 – Published: 2020-11-24 16:35 – Updated: 2024-09-16 20:37
VLAI?
Summary
CRIXP OpenCRX version 4.30 and 5.0-20200717 and prior suffers from an unverified password change vulnerability. An attacker who is able to connect to the affected OpenCRX instance can change the password of any user, including admin-Standard, to any chosen value. This issue was resolved in version 5.0-20200904, released September 4, 2020.
Severity ?
9.1 (Critical)
CWE
- CWE-620 - Unverified Password Change
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
This issue was discovered and reported by Trevor Christiansen of Rapid7 in accordance with Rapid7's standard vulnerability disclosure policy.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:25:49.033Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.rapid7.com/2020/11/24/cve-2020-7378-opencrx-unverified-password-change/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OpenCRX",
"vendor": "CRIXP",
"versions": [
{
"lessThanOrEqual": "4.30",
"status": "affected",
"version": "4.30",
"versionType": "custom"
},
{
"lessThanOrEqual": "5.0-20200717",
"status": "affected",
"version": "5.0-20200717",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered and reported by Trevor Christiansen of Rapid7 in accordance with Rapid7\u0027s standard vulnerability disclosure policy."
}
],
"datePublic": "2020-11-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "CRIXP OpenCRX version 4.30 and 5.0-20200717 and prior suffers from an unverified password change vulnerability. An attacker who is able to connect to the affected OpenCRX instance can change the password of any user, including admin-Standard, to any chosen value. This issue was resolved in version 5.0-20200904, released September 4, 2020."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-620",
"description": "CWE-620 Unverified Password Change",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-24T16:35:14",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.rapid7.com/2020/11/24/cve-2020-7378-opencrx-unverified-password-change/"
}
],
"solutions": [
{
"lang": "en",
"value": "Users should update to 5.0-20200904 or later. If an update is infeasible, users should disable the RequestPasswordReset.jsp wizard."
}
],
"source": {
"discovery": "USER"
},
"title": "CRIXP OpenCRX Unverified Password Change",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"DATE_PUBLIC": "2020-11-24T15:00:00.000Z",
"ID": "CVE-2020-7378",
"STATE": "PUBLIC",
"TITLE": "CRIXP OpenCRX Unverified Password Change"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OpenCRX",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "4.30",
"version_value": "4.30"
},
{
"version_affected": "\u003c=",
"version_name": "5.0-20200717",
"version_value": "5.0-20200717"
}
]
}
}
]
},
"vendor_name": "CRIXP"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered and reported by Trevor Christiansen of Rapid7 in accordance with Rapid7\u0027s standard vulnerability disclosure policy."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "CRIXP OpenCRX version 4.30 and 5.0-20200717 and prior suffers from an unverified password change vulnerability. An attacker who is able to connect to the affected OpenCRX instance can change the password of any user, including admin-Standard, to any chosen value. This issue was resolved in version 5.0-20200904, released September 4, 2020."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-620 Unverified Password Change"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.rapid7.com/2020/11/24/cve-2020-7378-opencrx-unverified-password-change/",
"refsource": "MISC",
"url": "https://blog.rapid7.com/2020/11/24/cve-2020-7378-opencrx-unverified-password-change/"
}
]
},
"solution": [
{
"lang": "en",
"value": "Users should update to 5.0-20200904 or later. If an update is infeasible, users should disable the RequestPasswordReset.jsp wizard."
}
],
"source": {
"discovery": "USER"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2020-7378",
"datePublished": "2020-11-24T16:35:15.035583Z",
"dateReserved": "2020-01-21T00:00:00",
"dateUpdated": "2024-09-16T20:37:06.713Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-7378 (GCVE-0-2020-7378)
Vulnerability from nvd – Published: 2020-11-24 16:35 – Updated: 2024-09-16 20:37
VLAI?
Summary
CRIXP OpenCRX version 4.30 and 5.0-20200717 and prior suffers from an unverified password change vulnerability. An attacker who is able to connect to the affected OpenCRX instance can change the password of any user, including admin-Standard, to any chosen value. This issue was resolved in version 5.0-20200904, released September 4, 2020.
Severity ?
9.1 (Critical)
CWE
- CWE-620 - Unverified Password Change
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
This issue was discovered and reported by Trevor Christiansen of Rapid7 in accordance with Rapid7's standard vulnerability disclosure policy.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:25:49.033Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.rapid7.com/2020/11/24/cve-2020-7378-opencrx-unverified-password-change/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OpenCRX",
"vendor": "CRIXP",
"versions": [
{
"lessThanOrEqual": "4.30",
"status": "affected",
"version": "4.30",
"versionType": "custom"
},
{
"lessThanOrEqual": "5.0-20200717",
"status": "affected",
"version": "5.0-20200717",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered and reported by Trevor Christiansen of Rapid7 in accordance with Rapid7\u0027s standard vulnerability disclosure policy."
}
],
"datePublic": "2020-11-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "CRIXP OpenCRX version 4.30 and 5.0-20200717 and prior suffers from an unverified password change vulnerability. An attacker who is able to connect to the affected OpenCRX instance can change the password of any user, including admin-Standard, to any chosen value. This issue was resolved in version 5.0-20200904, released September 4, 2020."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-620",
"description": "CWE-620 Unverified Password Change",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-24T16:35:14",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.rapid7.com/2020/11/24/cve-2020-7378-opencrx-unverified-password-change/"
}
],
"solutions": [
{
"lang": "en",
"value": "Users should update to 5.0-20200904 or later. If an update is infeasible, users should disable the RequestPasswordReset.jsp wizard."
}
],
"source": {
"discovery": "USER"
},
"title": "CRIXP OpenCRX Unverified Password Change",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"DATE_PUBLIC": "2020-11-24T15:00:00.000Z",
"ID": "CVE-2020-7378",
"STATE": "PUBLIC",
"TITLE": "CRIXP OpenCRX Unverified Password Change"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OpenCRX",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "4.30",
"version_value": "4.30"
},
{
"version_affected": "\u003c=",
"version_name": "5.0-20200717",
"version_value": "5.0-20200717"
}
]
}
}
]
},
"vendor_name": "CRIXP"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered and reported by Trevor Christiansen of Rapid7 in accordance with Rapid7\u0027s standard vulnerability disclosure policy."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "CRIXP OpenCRX version 4.30 and 5.0-20200717 and prior suffers from an unverified password change vulnerability. An attacker who is able to connect to the affected OpenCRX instance can change the password of any user, including admin-Standard, to any chosen value. This issue was resolved in version 5.0-20200904, released September 4, 2020."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-620 Unverified Password Change"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.rapid7.com/2020/11/24/cve-2020-7378-opencrx-unverified-password-change/",
"refsource": "MISC",
"url": "https://blog.rapid7.com/2020/11/24/cve-2020-7378-opencrx-unverified-password-change/"
}
]
},
"solution": [
{
"lang": "en",
"value": "Users should update to 5.0-20200904 or later. If an update is infeasible, users should disable the RequestPasswordReset.jsp wizard."
}
],
"source": {
"discovery": "USER"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2020-7378",
"datePublished": "2020-11-24T16:35:15.035583Z",
"dateReserved": "2020-01-21T00:00:00",
"dateUpdated": "2024-09-16T20:37:06.713Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}