Vulnerability Description
BuddyBoss Platform through 1.8.0 allows remote attackers to obtain the email address of each user. When creating a new user, it generates a Unique ID for their profile. This UID is their private email address with symbols removed and periods replaced with hyphens. For example. [email protected] would become /members/johndoeexample-com and [email protected] would become /members/jo-testexample-com. The members list is available to everyone and (in a default configuration) often without authentication. It is therefore trivial to collect a list of email addresses.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Buddyboss | Buddyboss | <= 1.8.0 |
Related Weaknesses (CWE)
References
- https://www.buddyboss.com/resources/buddyboss-platform-releases/Release NotesVendor Advisory
- https://www.cygenta.co.uk/post/buddybossMitigationThird Party Advisory
- https://www.buddyboss.com/resources/buddyboss-platform-releases/Release NotesVendor Advisory
- https://www.cygenta.co.uk/post/buddybossMitigationThird Party Advisory
FAQ
What is CVE-2021-44692?
CVE-2021-44692 is a vulnerability with a CVSS score of 5.3 (MEDIUM). BuddyBoss Platform through 1.8.0 allows remote attackers to obtain the email address of each user. When creating a new user, it generates a Unique ID for their profile. This UID is their private email...
How severe is CVE-2021-44692?
CVE-2021-44692 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-44692?
Check the references section above for vendor advisories and patch information. Affected products include: Buddyboss Buddyboss.