Lucene search

MitreCVE-2015-6928

HistorySep 28, 2015 - 3:59 p.m.

CVE-2015-6928

2015-09-2815:59:01

CWE-284

mitre

web.nvd.nist.gov

cubecart

cve-2015-6928

password reset

remote attackers

administrator password

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

AI Score

Confidence

Low

EPSS

0.015

Percentile

87.2%

JSON

classes/admin.class.php in CubeCart 5.2.12 through 5.2.16 and 6.x before 6.0.7 does not properly validate that a password reset request was made, which allows remote attackers to change the administrator password via a recovery request with a space character in the validate parameter and the administrator email in the email parameter.

Affected configurations

Nvd

Node

cubecartcubecartMatch5.2.12

cubecartcubecartMatch5.2.13

cubecartcubecartMatch5.2.14

cubecartcubecartMatch5.2.15

cubecartcubecartMatch6.0.0

cubecartcubecartMatch6.0.1

cubecartcubecartMatch6.0.2

cubecartcubecartMatch6.0.3

cubecartcubecartMatch6.0.4

cubecartcubecartMatch6.0.5

cubecartcubecartMatch6.0.6

VendorProductVersionCPE
cubecartcubecart5.2.12cpe:2.3:a:cubecart:cubecart:5.2.12:*:*:*:*:*:*:*
cubecartcubecart5.2.13cpe:2.3:a:cubecart:cubecart:5.2.13:*:*:*:*:*:*:*
cubecartcubecart5.2.14cpe:2.3:a:cubecart:cubecart:5.2.14:*:*:*:*:*:*:*
cubecartcubecart5.2.15cpe:2.3:a:cubecart:cubecart:5.2.15:*:*:*:*:*:*:*
cubecartcubecart6.0.0cpe:2.3:a:cubecart:cubecart:6.0.0:*:*:*:*:*:*:*
cubecartcubecart6.0.1cpe:2.3:a:cubecart:cubecart:6.0.1:*:*:*:*:*:*:*
cubecartcubecart6.0.2cpe:2.3:a:cubecart:cubecart:6.0.2:*:*:*:*:*:*:*
cubecartcubecart6.0.3cpe:2.3:a:cubecart:cubecart:6.0.3:*:*:*:*:*:*:*
cubecartcubecart6.0.4cpe:2.3:a:cubecart:cubecart:6.0.4:*:*:*:*:*:*:*
cubecartcubecart6.0.5cpe:2.3:a:cubecart:cubecart:6.0.5:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cubecart	cubecart	5.2.12	cpe:2.3:a:cubecart:cubecart:5.2.12:::::::*
cubecart	cubecart	5.2.13	cpe:2.3:a:cubecart:cubecart:5.2.13:::::::*
cubecart	cubecart	5.2.14	cpe:2.3:a:cubecart:cubecart:5.2.14:::::::*
cubecart	cubecart	5.2.15	cpe:2.3:a:cubecart:cubecart:5.2.15:::::::*
cubecart	cubecart	6.0.0	cpe:2.3:a:cubecart:cubecart:6.0.0:::::::*
cubecart	cubecart	6.0.1	cpe:2.3:a:cubecart:cubecart:6.0.1:::::::*
cubecart	cubecart	6.0.2	cpe:2.3:a:cubecart:cubecart:6.0.2:::::::*
cubecart	cubecart	6.0.3	cpe:2.3:a:cubecart:cubecart:6.0.3:::::::*
cubecart	cubecart	6.0.4	cpe:2.3:a:cubecart:cubecart:6.0.4:::::::*
cubecart	cubecart	6.0.5	cpe:2.3:a:cubecart:cubecart:6.0.5:::::::*

Rows per page:

1-10 of 111

References

packetstormsecurity.com/files/133535/CubeCart-6.0.6-Administrative-Bypass.html

seclists.org/fulldisclosure/2015/Sep/40

www.securitytracker.com/id/1034015

forums.cubecart.com/topic/50277-critical-security-issue-admin-account-hijack/

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

AI Score

Confidence

Low

EPSS

0.015

Percentile

87.2%

JSON

Related for CVE-2015-6928