CVE-2022-2921

HIGH8.8EPSS 0.46%

Exposure of password hashes in notrinos/notrinos-erp

Published: 8/22/2022Modified: 11/8/2023

Description

The AP officers account is authorized to Backup and Restore the Database, Due to this he/she can download the backup and see the password hash of the System Administrator account, The weak hash (MD5) of the password can be easily cracked and get the admin password.

Affected packages (1)

Packagist/notrinos/notrinos-erpfrom 0, < 0.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-2921
PATCHhttps://github.com/notrinos/NotrinosERP
WEBhttps://github.com/notrinos/notrinoserp/commit/1b9903f4deea3289872793e60d730c63ecbf7b45
WEBhttps://huntr.dev/bounties/51b32a1c-946b-4390-a212-b6c4b6e4115c