CVE-2020-7378 — CRITICAL (9.1)

Q: How severe is CVE-2020-7378?

CVE-2020-7378 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2020-7378?

Check the references section above for vendor advisories and patch information. Affected products include: Opencrx Opencrx.

Vulnerability Description

CRIXP OpenCRX version 4.30 and 5.0-20200717 and prior suffers from an unverified password change vulnerability. An attacker who is able to connect to the affected OpenCRX instance can change the password of any user, including admin-Standard, to any chosen value. This issue was resolved in version 5.0-20200904, released September 4, 2020.

CVSS Score

9.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Opencrx	Opencrx	<= 4.3.0

Related Weaknesses (CWE)

CWE-287 CWE-620

References

https://blog.rapid7.com/2020/11/24/cve-2020-7378-opencrx-unverified-password-chaExploitThird Party Advisory
https://blog.rapid7.com/2020/11/24/cve-2020-7378-opencrx-unverified-password-chaExploitThird Party Advisory

FAQ

What is CVE-2020-7378?

CVE-2020-7378 is a vulnerability with a CVSS score of 9.1 (CRITICAL). CRIXP OpenCRX version 4.30 and 5.0-20200717 and prior suffers from an unverified password change vulnerability. An attacker who is able to connect to the affected OpenCRX instance can change the passw...

How severe is CVE-2020-7378?

CVE-2020-7378 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2020-7378?

Check the references section above for vendor advisories and patch information. Affected products include: Opencrx Opencrx.