Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00NHc1LXEyNTctODQyOM4AAuXQ
Exposure of password hashes in notrinos/notrinos-erp
The AP officers account is authorized to Backup and Restore the Database, Due to this he/she can download the backup and see the password hash of the System Administrator account, The weak hash (MD5) of the password can be easily cracked and get the admin password.
Permalink: https://github.com/advisories/GHSA-44w5-q257-8428JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00NHc1LXEyNTctODQyOM4AAuXQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: almost 2 years ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-44w5-q257-8428, CVE-2022-2921
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-2921
- https://github.com/notrinos/notrinoserp/commit/1b9903f4deea3289872793e60d730c63ecbf7b45
- https://huntr.dev/bounties/51b32a1c-946b-4390-a212-b6c4b6e4115c
- https://github.com/advisories/GHSA-44w5-q257-8428
Blast Radius: 1.0
Affected Packages
packagist:notrinos/notrinos-erp
Dependent packages: 0Dependent repositories: 0
Downloads: 267 total
Affected Version Ranges: < 0.7
Fixed in: 0.7
All affected versions:
All unaffected versions: