CVE-2024-9907
Oct. 15, 2024, 12:57 p.m.
Tags
CVSS Score
Product(s) Impacted
QileCMS
- up to 1.1.3
Description
A vulnerability classified as problematic was found in QileCMS up to 1.1.3. This vulnerability affects the function sendEmail of the file /qilecms/user/controller/Forget.php of the component Verification Code Handler. The manipulation leads to weak password recovery. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Weaknesses
CWE-640
Weak Password Recovery Mechanism for Forgotten Password
The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
CWE ID: 640Date
Published: Oct. 13, 2024, 5:15 a.m.
Last Modified: Oct. 15, 2024, 12:57 p.m.
Status : Awaiting Analysis
CVE has been recently published to the CVE List and has been received by the NVD.
More infoSource
cna@vuldb.com
CVSS Data
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
Base Score
Exploitability Score
Impact Score
Base Severity
LOWCVSS Vector String
The CVSS vector string provides an in-depth view of the vulnerability metrics.
View Vector StringCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N