CVE-2020-7378 CRIXP OpenCRX Unverified Password Change

2020-11-2416:35:15

CWE-620

rapid7

www.cve.org

crixp opencrx

unverified password change

vulnerability

version 4.30

version 5.0-20200717

attacker

admin-standard

resolved

version 5.0-20200904

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

9.3

Confidence

High

EPSS

0.003

Percentile

71.0%

JSON

CRIXP OpenCRX version 4.30 and 5.0-20200717 and prior suffers from an unverified password change vulnerability. An attacker who is able to connect to the affected OpenCRX instance can change the password of any user, including admin-Standard, to any chosen value. This issue was resolved in version 5.0-20200904, released September 4, 2020.

CNA Affected

[
  {
    "product": "OpenCRX",
    "vendor": "CRIXP",
    "versions": [
      {
        "lessThanOrEqual": "4.30",
        "status": "affected",
        "version": "4.30",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "5.0-20200717",
        "status": "affected",
        "version": "5.0-20200717",
        "versionType": "custom"
      }
    ]
  }
]