CVE-2025-27416 (GCVE-0-2025-27416)

Vulnerability from cvelistv5 – Published: 2025-03-01 00:10 – Updated: 2025-03-04 19:18
VLAI?
Title
Asking For Scratch Username And Password
Summary
Scratch-Coding-Hut.github.io is the website for Coding Hut. The website as of 28 February 2025 contained a sign in with scratch username and password form. Any user who used the sign in page would be susceptible to any other user signing into their account. As of time of publication, a fix is not available but work on a fix is underway. As a workaround, users should avoid signing in.
Severity ?
5.9 (Medium)
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:U
CWE
  • CWE-287 - Improper Authentication
Assigner
References
Impacted products
Vendor Product Version
Scratch-Coding-Hut Scratch-Coding-Hut.github.io Affected: <= 2025-02-28
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-27416",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-04T19:18:19.172509Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-04T19:18:29.831Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Scratch-Coding-Hut.github.io",
          "vendor": "Scratch-Coding-Hut",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 2025-02-28"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Scratch-Coding-Hut.github.io is the website for Coding Hut. The website as of 28 February 2025 contained a sign in with scratch username and password form. Any user who used the sign in page would be susceptible to any other user signing into their account. As of time of publication, a fix is not available but work on a fix is underway. As a workaround, users should avoid signing in."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:U",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287: Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-01T00:10:29.184Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Scratch-Coding-Hut/Scratch-Coding-Hut.github.io/security/advisories/GHSA-xx32-r9wr-whff",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Scratch-Coding-Hut/Scratch-Coding-Hut.github.io/security/advisories/GHSA-xx32-r9wr-whff"
        },
        {
          "name": "https://github.com/Scratch-Coding-Hut/Scratch-Coding-Hut.github.io/issues/3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Scratch-Coding-Hut/Scratch-Coding-Hut.github.io/issues/3"
        }
      ],
      "source": {
        "advisory": "GHSA-xx32-r9wr-whff",
        "discovery": "UNKNOWN"
      },
      "title": "Asking For Scratch Username And Password"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-27416",
    "datePublished": "2025-03-01T00:10:29.184Z",
    "dateReserved": "2025-02-24T15:51:17.268Z",
    "dateUpdated": "2025-03-04T19:18:29.831Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-27416\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-03-01T01:15:28.857\",\"lastModified\":\"2025-03-01T01:15:28.857\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Scratch-Coding-Hut.github.io is the website for Coding Hut. The website as of 28 February 2025 contained a sign in with scratch username and password form. Any user who used the sign in page would be susceptible to any other user signing into their account. As of time of publication, a fix is not available but work on a fix is underway. As a workaround, users should avoid signing in.\"},{\"lang\":\"es\",\"value\":\"Scratch-Coding-Hut.github.io es el sitio web de Coding Hut. El 28 de febrero de 2025, el sitio web conten\u00eda un formulario de inicio de sesi\u00f3n con nombre de usuario y contrase\u00f1a de Scratch. Cualquier usuario que utilizara la p\u00e1gina de inicio de sesi\u00f3n podr\u00eda verse expuesto a que cualquier otro usuario iniciara sesi\u00f3n en su cuenta. Al momento de la publicaci\u00f3n, no hab\u00eda una soluci\u00f3n disponible, pero se estaba trabajando en una. Como workaround, los usuarios deber\u00edan evitar iniciar sesi\u00f3n.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"UNREPORTED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"references\":[{\"url\":\"https://github.com/Scratch-Coding-Hut/Scratch-Coding-Hut.github.io/issues/3\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/Scratch-Coding-Hut/Scratch-Coding-Hut.github.io/security/advisories/GHSA-xx32-r9wr-whff\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-27416\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-04T19:18:19.172509Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-04T19:18:24.596Z\"}}], \"cna\": {\"title\": \"Asking For Scratch Username And Password\", \"source\": {\"advisory\": \"GHSA-xx32-r9wr-whff\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 5.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:U\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"Scratch-Coding-Hut\", \"product\": \"Scratch-Coding-Hut.github.io\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 2025-02-28\"}]}], \"references\": [{\"url\": \"https://github.com/Scratch-Coding-Hut/Scratch-Coding-Hut.github.io/security/advisories/GHSA-xx32-r9wr-whff\", \"name\": \"https://github.com/Scratch-Coding-Hut/Scratch-Coding-Hut.github.io/security/advisories/GHSA-xx32-r9wr-whff\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/Scratch-Coding-Hut/Scratch-Coding-Hut.github.io/issues/3\", \"name\": \"https://github.com/Scratch-Coding-Hut/Scratch-Coding-Hut.github.io/issues/3\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Scratch-Coding-Hut.github.io is the website for Coding Hut. The website as of 28 February 2025 contained a sign in with scratch username and password form. Any user who used the sign in page would be susceptible to any other user signing into their account. As of time of publication, a fix is not available but work on a fix is underway. As a workaround, users should avoid signing in.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-287\", \"description\": \"CWE-287: Improper Authentication\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-03-01T00:10:29.184Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-27416\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-04T19:18:29.831Z\", \"dateReserved\": \"2025-02-24T15:51:17.268Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-03-01T00:10:29.184Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.