CVE-2019-19857

An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. An admin can change their password without providing the current password, by using interfaces outside the Change Password screen. Thus, requiring the admin to enter an Old Password value on the Change Password screen does not enhance security. This is problematic in conjunction with XSS.

CVSS v3 6.5 MEDIUM
CVSS v2.0 5.0 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://websec.nl/news.php	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:serpico_project:serpico:1.3.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-01-15 23:15

Updated : 2024-02-04 20:39

NVD link : CVE-2019-19857

Mitre link : CVE-2019-19857

CVE.ORG link : CVE-2019-19857

JSON object : View

Products Affected

serpico_project

serpico

CWE

CWE-287

Improper Authentication

{"id": "CVE-2019-19857", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2020-01-15T23:15:11.777", "references": [{"url": "https://websec.nl/news.php", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. An admin can change their password without providing the current password, by using interfaces outside the Change Password screen. Thus, requiring the admin to enter an Old Password value on the Change Password screen does not enhance security. This is problematic in conjunction with XSS."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Serpico (tambi\u00e9n se conoce como SimplE RePort wrIting and CollaboratiOn tool) versi\u00f3n 1.3.0. Un administrador puede cambiar su contrase\u00f1a sin proporcionar la contrase\u00f1a actual, mediante el uso de interfaces fuera de la pantalla Change Password. Por lo tanto, solicitar al administrador que ingrese un valor Old Password en la pantalla Change Password no mejora la seguridad. Esto es problem\u00e1tico en conjunto con un ataque de tipo XSS."}], "lastModified": "2021-07-21T11:39:23.747", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:serpico_project:serpico:1.3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5B0682FF-A9EC-4DE4-AF14-7956F3DB2800"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}