CVE-2019-12742

2019-06-0516:29:01

Google

osv.dev

6.9 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

43.0%

JSON

Bludit prior to 3.9.1 allows a non-privileged user to change the password of any account, including admin. This occurs because of bl-kernel/admin/controllers/user-password.php Insecure Direct Object Reference (a modified username POST parameter).

CPENameOperatorVersion
bluditeq0.6.2
bluditeq3.9.0
bluditeq0.5
bluditeq2.0-beta4
bluditeq2.0.2
bluditeq1.0-beta1
bluditeq3.0.0-alpha-2
bluditeq3.3.0
bluditeq1.5-beta2
bluditeq2.0-alpha1

Name	Operator	Version
bludit	eq	0.6.2
bludit	eq	3.9.0
bludit	eq	0.5
bludit	eq	2.0-beta4
bludit	eq	2.0.2
bludit	eq	1.0-beta1
bludit	eq	3.0.0-alpha-2
bludit	eq	3.3.0
bludit	eq	1.5-beta2
bludit	eq	2.0-alpha1