CVE-2022-3152 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.8 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
@huntrdev	CNA	9.6 CRITICAL	NETWORK	LOW	LOW	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 20%

Vendor	Product	Version
php-fusion	phpfusion	𝑥 < 9.10.20

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-620 - Unverified Password Change
When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.
CWE-287 - Improper Authentication
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

References

https://github.com/phpfusion/phpfusion/commit/57c96d4a0c00e8e1e25100087654688123c6e991

https://huntr.dev/bounties/b3f888d2-5c71-4682-8287-42613401fd5a

https://github.com/phpfusion/phpfusion/commit/57c96d4a0c00e8e1e25100087654688123c6e991

https://huntr.dev/bounties/b3f888d2-5c71-4682-8287-42613401fd5a