CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-40084
https://notcve.org/view.php?id=CVE-2022-40084
OpenCRX before v5.2.2 was discovered to be vulnerable to password enumeration due to the difference in error messages received during a password reset which could enable an attacker to determine if a username, email or ID is valid. Se ha detectado que OpenCRX versiones anteriores a v5.2.2, es vulnerable a una enumeración de contraseñas debido a la diferencia en los mensajes de error recibidos durante el restablecimiento de la contraseña, lo que podría permitir a un atacante determinar si un nombre de usuario, correo electrónico o ID es válido • https://cwe.mitre.org/data/definitions/204.html#:~:text=User%20enumeration%20via%20discrepancies%20in%20error%20messages.%2C-CVE-2004-0294&text=Bulletin%20Board%20displays%20different%20error%2Cbrute%20force%20password%20guessing%20attack. https://github.com/ciph0x01/OpenCRX-CVE/blob/main/CVE-2022-40084.md • CWE-203: Observable Discrepancy •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-25959 – OpenCRX - Reflected Cross-Site Scripting in Password Reset Functionality
https://notcve.org/view.php?id=CVE-2021-25959
In OpenCRX, versions v4.0.0 through v5.1.0 are vulnerable to reflected Cross-site Scripting (XSS), due to unsanitized parameters in the password reset functionality. This allows execution of external javascript files on any user of the openCRX instance. En OpenCRX, versiones v4.0.0 hasta v5.1.0, son vulnerables a un ataque de tipo Cross-site Scripting (XSS) reflejado, debido a parámetros no saneados en la funcionalidad password reset. Esto permite una ejecución de archivos javascript externos en cualquier usuario de la instancia de openCRX • https://github.com/opencrx/opencrx/commit/14e75f95e5f56fbe7ee897bdf5d858788072e818 https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25959 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 5EXPL: 2CVE-2020-7378 – CRIXP OpenCRX Unverified Password Change
https://notcve.org/view.php?id=CVE-2020-7378
CRIXP OpenCRX version 4.30 and 5.0-20200717 and prior suffers from an unverified password change vulnerability. An attacker who is able to connect to the affected OpenCRX instance can change the password of any user, including admin-Standard, to any chosen value. This issue was resolved in version 5.0-20200904, released September 4, 2020. CRIXP OpenCRX versiones 4.30 y 5.0-20200717 y anteriores sufre de una vulnerabilidad de cambio de contraseña no verificada. Un atacante que es capaz de conectarse a la instancia de OpenCRX afectada puede cambiar la contraseña de cualquier usuario, incluyendo admin-Standard, para cualquier valor elegido. • https://github.com/ruthvikvegunta/openCRX-CVE-2020-7378 https://blog.rapid7.com/2020/11/24/cve-2020-7378-opencrx-unverified-password-change • CWE-287: Improper Authentication CWE-620: Unverified Password Change •