CVE-2020-7378

Опубликовано: 24 нояб. 2020

Источник: nvd

CVSS3: 9.1

CVSS2: 6.4

EPSS Низкий

Описание

CRIXP OpenCRX version 4.30 and 5.0-20200717 and prior suffers from an unverified password change vulnerability. An attacker who is able to connect to the affected OpenCRX instance can change the password of any user, including admin-Standard, to any chosen value. This issue was resolved in version 5.0-20200904, released September 4, 2020.

Ссылки

https://blog.rapid7.com/2020/11/24/cve-2020-7378-opencrx-unverified-password-change/
Exploit
Third Party Advisory
https://blog.rapid7.com/2020/11/24/cve-2020-7378-opencrx-unverified-password-change/
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:opencrx:opencrx:*:*:*:*:*:*:*:*

Версия до 4.3.0 (включая)

cpe:2.3:a:opencrx:opencrx:5.0:20200714:*:*:*:*:*:*

cpe:2.3:a:opencrx:opencrx:5.0:20200715:*:*:*:*:*:*

cpe:2.3:a:opencrx:opencrx:5.0:20200717:*:*:*:*:*:*

cpe:2.3:a:opencrx:opencrx:5.0.0:*:*:*:*:*:*:*

EPSS

Процентиль: 92%

0.08686

Низкий

9.1 Critical

CVSS3

6.4 Medium

CVSS2

Дефекты

CWE-620

CWE-287

Связанные уязвимости

GHSA-94cq-h6f7-9rvw

github

больше 3 лет назад