CVE-2014-3445

backup.php in HandsomeWeb SOS Webpages before 1.1.12 does not require knowledge of the cleartext password, which allows remote attackers to bypass authentication by leveraging knowledge of the administrator password hash.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
handsomewebsos_webpages
𝑥
< 1.1.12
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/126844/HandsomeWeb-SOS-Webpages-1.1.11-Backup-Hash-Disclosure.html
http://seclists.org/fulldisclosure/2014/May/130
http://sourceforge.net/projects/soswebpages/files/SOS%20Webpages/SOS%20Webpages%201.1.12/
http://www.securityfocus.com/bid/67644
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-3445/
http://packetstormsecurity.com/files/126844/HandsomeWeb-SOS-Webpages-1.1.11-Backup-Hash-Disclosure.html
http://seclists.org/fulldisclosure/2014/May/130
http://sourceforge.net/projects/soswebpages/files/SOS%20Webpages/SOS%20Webpages%201.1.12/
http://www.securityfocus.com/bid/67644
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-3445/