Lucene search

MendCVELIST:CVE-2021-25961

HistorySep 29, 2021 - 1:50 p.m.

CVE-2021-25961 SuiteCRM - Account Takeover in Password Reset Functionality

2021-09-2913:50:10

CWE-640

Mend

www.cve.org

suitecrm

account takeover

password reset

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

AI Score

8.1

Confidence

High

EPSS

0.002

Percentile

55.9%

JSON

In “SuiteCRM” application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links that is associated with a deleted user id, which makes it possible for account takeover of any newly created user with the same user id.

CNA Affected

[
  {
    "product": "SuiteCRM",
    "vendor": "salesagility",
    "versions": [
      {
        "changes": [
          {
            "at": "v7.10.32",
            "status": "unaffected"
          }
        ],
        "lessThan": "*",
        "status": "affected",
        "version": "v7.1.7",
        "versionType": "custom"
      },
      {
        "lessThan": "v7.11.21",
        "status": "affected",
        "version": "v7.11",
        "versionType": "custom"
      }
    ]
  }
]

References

github.com/salesagility/SuiteCRM/commit/7124482fe07ee164923d974456ed31e45f65e513

github.com/salesagility/SuiteCRM/commit/f463031bee59676d7d5be53bb32d551cd70a5648

www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25961

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

AI Score

8.1

Confidence

High

EPSS

0.002

Percentile

55.9%

JSON

Related for CVELIST:CVE-2021-25961