Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
1 vulnerability by CRIXP
CVE-2020-7378 (GCVE-0-2020-7378)
Vulnerability from cvelistv5 – Published: 2020-11-24 16:35 – Updated: 2024-09-16 20:37
VLAI
Title
CRIXP OpenCRX Unverified Password Change
Summary
CRIXP OpenCRX version 4.30 and 5.0-20200717 and prior suffers from an unverified password change vulnerability. An attacker who is able to connect to the affected OpenCRX instance can change the password of any user, including admin-Standard, to any chosen value. This issue was resolved in version 5.0-20200904, released September 4, 2020.
Severity
9.1 (Critical)
CWE
- CWE-620 - Unverified Password Change
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://blog.rapid7.com/2020/11/24/cve-2020-7378-… | x_refsource_MISC |
Impacted products
Date Public
2020-11-24 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:25:49.033Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.rapid7.com/2020/11/24/cve-2020-7378-opencrx-unverified-password-change/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OpenCRX",
"vendor": "CRIXP",
"versions": [
{
"lessThanOrEqual": "4.30",
"status": "affected",
"version": "4.30",
"versionType": "custom"
},
{
"lessThanOrEqual": "5.0-20200717",
"status": "affected",
"version": "5.0-20200717",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered and reported by Trevor Christiansen of Rapid7 in accordance with Rapid7\u0027s standard vulnerability disclosure policy."
}
],
"datePublic": "2020-11-24T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "CRIXP OpenCRX version 4.30 and 5.0-20200717 and prior suffers from an unverified password change vulnerability. An attacker who is able to connect to the affected OpenCRX instance can change the password of any user, including admin-Standard, to any chosen value. This issue was resolved in version 5.0-20200904, released September 4, 2020."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-620",
"description": "CWE-620 Unverified Password Change",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-24T16:35:14.000Z",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.rapid7.com/2020/11/24/cve-2020-7378-opencrx-unverified-password-change/"
}
],
"solutions": [
{
"lang": "en",
"value": "Users should update to 5.0-20200904 or later. If an update is infeasible, users should disable the RequestPasswordReset.jsp wizard."
}
],
"source": {
"discovery": "USER"
},
"title": "CRIXP OpenCRX Unverified Password Change",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"DATE_PUBLIC": "2020-11-24T15:00:00.000Z",
"ID": "CVE-2020-7378",
"STATE": "PUBLIC",
"TITLE": "CRIXP OpenCRX Unverified Password Change"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OpenCRX",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "4.30",
"version_value": "4.30"
},
{
"version_affected": "\u003c=",
"version_name": "5.0-20200717",
"version_value": "5.0-20200717"
}
]
}
}
]
},
"vendor_name": "CRIXP"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered and reported by Trevor Christiansen of Rapid7 in accordance with Rapid7\u0027s standard vulnerability disclosure policy."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "CRIXP OpenCRX version 4.30 and 5.0-20200717 and prior suffers from an unverified password change vulnerability. An attacker who is able to connect to the affected OpenCRX instance can change the password of any user, including admin-Standard, to any chosen value. This issue was resolved in version 5.0-20200904, released September 4, 2020."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-620 Unverified Password Change"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.rapid7.com/2020/11/24/cve-2020-7378-opencrx-unverified-password-change/",
"refsource": "MISC",
"url": "https://blog.rapid7.com/2020/11/24/cve-2020-7378-opencrx-unverified-password-change/"
}
]
},
"solution": [
{
"lang": "en",
"value": "Users should update to 5.0-20200904 or later. If an update is infeasible, users should disable the RequestPasswordReset.jsp wizard."
}
],
"source": {
"discovery": "USER"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2020-7378",
"datePublished": "2020-11-24T16:35:15.035Z",
"dateReserved": "2020-01-21T00:00:00.000Z",
"dateUpdated": "2024-09-16T20:37:06.713Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}