Executive Summary
Summary | |
---|---|
Title | PivotX password reset vulnerability |
Informations | |||
---|---|---|---|
Name | VU#175068 | First vendor Publication | 2011-02-18 |
Vendor | VU-CERT | Last vendor Modification | 2011-02-18 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#175068PivotX password reset vulnerabilityOverviewThe PivotX web content management system 2.2.3 and earlier is affected by a password reset vulnerability.I. DescriptionPivotX contains a vulnerability that allows an attacker to change the password of any account just by guessing the username. Version 2.2.4 has been reported to not be affected. This vulnerability is being exploited in the wild and users should immediately upgrade to 2.2.5 or later. Mitigation steps for users that have been compromised have been posted to the PivotX Support Community.II. ImpactAn attacker can gain admin access to the PivotX content management system with a specially crafted URL. Admin access allows the possibility to upload files to the server as well.III. SolutionApply an UpdateUpgrade to version 2.2.5 or later.
Referenceshttp://forum.pivotx.net/viewtopic.php?p=10639#p10639 Thanks to "Hans F. Nordhaug" for reporting this vulnerability. This document was written by Jared Allar.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/175068 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-255 | Credentials Management |
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2011-03-05 | Name : FreeBSD Ports: pivotx File : nvt/freebsd_pivotx.nasl |
2011-02-23 | Name : PivotX 'Reset my password' Feature Data Manipulation Vulnerability File : nvt/secpod_pivotx_data_manipulation_vuln.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
70935 | PivotX Unspecified Unauthorized Password Reset PivotX contains a flaw related to the password reset mechanism. The issue is triggered when a remote attacker determines a user's username, allowing them to modify the user's password through unspecified means. No further details have been provided. |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2011-02-21 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_ae0e58353cad11e0b65400215c6a37bb.nasl - Type : ACT_GATHER_INFO |