CVE-2017-12850

An authenticated standard user could reset the password of other users (including the admin) by altering form data. Affects kanboard before 1.0.46.

CVSS v3 8.8 HIGH
CVSS v2.0 4.0 MEDIUM

8.8^/10

CVSS v3 : HIGH

Vector : AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://www.securityfocus.com/bid/100352	Third Party Advisory VDB Entry
https://github.com/kanboard/kanboard/commit/88dd6abbf3f519897f2f6280e95c9eec9123a4ae	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:kanboard:kanboard:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2017-08-14 20:29

Updated : 2024-02-28 16:04

NVD link : CVE-2017-12850

Mitre link : CVE-2017-12850

CVE.ORG link : CVE-2017-12850

JSON object : View

Products Affected

kanboard

kanboard

CWE

CWE-640

Weak Password Recovery Mechanism for Forgotten Password

{"id": "CVE-2017-12850", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2017-08-14T20:29:00.183", "references": [{"url": "http://www.securityfocus.com/bid/100352", "tags": ["Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}, {"url": "https://github.com/kanboard/kanboard/commit/88dd6abbf3f519897f2f6280e95c9eec9123a4ae", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-640"}]}], "descriptions": [{"lang": "en", "value": "An authenticated standard user could reset the password of other users (including the admin) by altering form data. Affects kanboard before 1.0.46."}, {"lang": "es", "value": "Un usuario est\u00e1ndar autenticado podr\u00eda resetear la contrase\u00f1a de otros usuarios (incluyendo al administrador) alterando los datos del formulario. Afecta a kanboard en versiones anteriores a la 1.0.46."}], "lastModified": "2017-08-24T15:51:40.963", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:kanboard:kanboard:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BF0BD9E9-7C97-4DAD-842F-0D05D1EF2EF9", "versionEndIncluding": "1.0.45"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}