Lucene search

MitreCVE-2023-37756

HistorySep 14, 2023 - 9:15 p.m.

CVE-2023-37756

2023-09-1421:15:10

CWE-521

mitre

web.nvd.nist.gov

cve-2023-37756

i-doit

weak password

bruteforce

administrator account

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.3

Confidence

High

EPSS

0.002

Percentile

56.4%

JSON

I-doit pro 25 and below and I-doit open 25 and below employ weak password requirements for Administrator account creation. Attackers are able to easily guess users’ passwords via a bruteforce attack.

Affected configurations

Nvd

Node

i-doiti-doitRange≤25open

i-doiti-doitRange≤25pro

VendorProductVersionCPE
i-doiti-doit*cpe:2.3:a:i-doit:i-doit:*:*:*:*:open:*:*:*
i-doiti-doit*cpe:2.3:a:i-doit:i-doit:*:*:*:*:pro:*:*:*

Vendor	Product	Version	CPE
i-doit	i-doit	*	cpe:2.3:a:i-doit:i-doit:::::open:::*
i-doit	i-doit	*	cpe:2.3:a:i-doit:i-doit:::::pro:::*

References

github.com/leekenghwa/CVE-2023-37756-CWE-521-lead-to-malicious-plugin-upload-in-the-i-doit-Pro-25-and-below/blob/main/README.md

medium.com/%40ray.999/idoit-pro-v25-and-below-weak-password-add-on-upload-to-rce-cve-2023-37756-fa1b18433ca3

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.3

Confidence

High

EPSS

0.002

Percentile

56.4%

JSON

Related for CVE-2023-37756