CVE-2022-2921
published 2022-08-21CVE-2022-2921: Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository notrinos/notrinoserp prior to v0.7. This results in privilege escalation…
PriorityP350high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.10%
61.7th percentile
Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository notrinos/notrinoserp prior to v0.7. This results in privilege escalation to a system administrator account. An attacker can gain access to protected functionality such as create/update companies, install/update languages, install/activate extensions, install/activate themes and other permissive actions.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| notrinos | notrinos-erp | >= 0 < 0.7 | 0.7 |
| notrinos | notrinos_notrinoserp | >= unspecified < 0.7 | 0.7 |
| notrinos | notrinoserp | < 0.7 | 0.7 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Exposure of password hashes in notrinos/notrinos-erp
osv·2022-08-22
CVE-2022-2921 [HIGH] Exposure of password hashes in notrinos/notrinos-erp
Exposure of password hashes in notrinos/notrinos-erp
The AP officers account is authorized to Backup and Restore the Database, Due to this he/she can download the backup and see the password hash of the System Administrator account, The weak hash (MD5) of the password can be easily cracked and get the admin password.
GHSA
Exposure of password hashes in notrinos/notrinos-erp
ghsa·2022-08-22
CVE-2022-2921 [HIGH] CWE-359 Exposure of password hashes in notrinos/notrinos-erp
Exposure of password hashes in notrinos/notrinos-erp
The AP officers account is authorized to Backup and Restore the Database, Due to this he/she can download the backup and see the password hash of the System Administrator account, The weak hash (MD5) of the password can be easily cracked and get the admin password.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/notrinos/notrinoserp/commit/1b9903f4deea3289872793e60d730c63ecbf7b45https://huntr.dev/bounties/51b32a1c-946b-4390-a212-b6c4b6e4115chttps://github.com/notrinos/notrinoserp/commit/1b9903f4deea3289872793e60d730c63ecbf7b45https://huntr.dev/bounties/51b32a1c-946b-4390-a212-b6c4b6e4115c
2022-08-21
Published