{"containers": {"cna": {"affected": [{"product": "dolibarr", "vendor": "Dolibarr", "versions": [{"changes": [{"at": "2.8.1", "status": "affected"}], "lessThanOrEqual": "13.0.2", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Hagai Wechsler"}], "descriptions": [{"lang": "en", "value": "In \u201cDolibarr\u201d application, v2.8.1 to v13.0.2 are vulnerable to account takeover via password reset functionality. A low privileged attacker can reset the password of any user in the application using the password reset link the user received through email when requested for a forgotten password."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-640", "description": "CWE-640 Weak Password Recovery Mechanism for Forgotten Password", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-08-17T14:13:30.000Z", "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "shortName": "Mend"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/Dolibarr/dolibarr/commit/87f9530272925f0d651f59337a35661faeb6f377"}, {"tags": ["x_refsource_MISC"], "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25957"}], "solutions": [{"lang": "en", "value": "Update to 14.0.0"}], "source": {"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/", "discovery": "UNKNOWN"}, "title": "Account Takeover in \"Dolibarr\" via Password Reset Functionality", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "", "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", "DATE_PUBLIC": "", "ID": "CVE-2021-25957", "STATE": "PUBLIC", "TITLE": "Account Takeover in \"Dolibarr\" via Password Reset Functionality"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "dolibarr", "version": {"version_data": [{"platform": "", "version_affected": "<=", "version_name": "", "version_value": "13.0.2"}, {"platform": "", "version_affected": ">=", "version_name": "", "version_value": "2.8.1"}]}}]}, "vendor_name": "Dolibarr"}]}}, "configuration": [], "credit": [{"lang": "eng", "value": "Hagai Wechsler"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In \u201cDolibarr\u201d application, v2.8.1 to v13.0.2 are vulnerable to account takeover via password reset functionality. A low privileged attacker can reset the password of any user in the application using the password reset link the user received through email when requested for a forgotten password."}]}, "exploit": [], "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-640 Weak Password Recovery Mechanism for Forgotten Password"}]}]}, "references": {"reference_data": [{"name": "https://github.com/Dolibarr/dolibarr/commit/87f9530272925f0d651f59337a35661faeb6f377", "refsource": "MISC", "url": "https://github.com/Dolibarr/dolibarr/commit/87f9530272925f0d651f59337a35661faeb6f377"}, {"name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25957", "refsource": "MISC", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25957"}]}, "solution": [{"lang": "en", "value": "Update to 14.0.0"}], "source": {"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/", "defect": [], "discovery": "UNKNOWN"}, "work_around": []}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T20:19:18.991Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Dolibarr/dolibarr/commit/87f9530272925f0d651f59337a35661faeb6f377"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25957"}]}]}, "cveMetadata": {"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "assignerShortName": "Mend", "cveId": "CVE-2021-25957", "datePublished": "2021-08-17T14:13:30.226Z", "dateReserved": "2021-01-22T00:00:00.000Z", "dateUpdated": "2024-09-17T01:51:51.602Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dolibarr:dolibarr:*:*:*:*:*:*:*:*", "matchCriteriaId": "730BE634-E4DD-4AC7-89A0-74ED7ED1EB2D", "versionEndIncluding": "13.0.2", "versionStartIncluding": "2.8.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In \u201cDolibarr\u201d application, v2.8.1 to v13.0.2 are vulnerable to account takeover via password reset functionality. A low privileged attacker can reset the password of any user in the application using the password reset link the user received through email when requested for a forgotten password."}, {"lang": "es", "value": "En la aplicaci\u00f3n \"Dolibarr\", versiones v2.8.1 a v13.0.2, son vulnerables a la toma de cuenta por medio de la funcionalidad password reset. Un atacante poco privilegiado puede restablecer la contrase\u00f1a de cualquier usuario de la aplicaci\u00f3n usando el enlace de restablecimiento de contrase\u00f1a que el usuario recibi\u00f3 mediante correo electr\u00f3nico cuando se le solicit\u00f3 una contrase\u00f1a olvidada."}], "id": "CVE-2021-25957", "lastModified": "2024-11-21T05:55:40.397", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "vulnerabilitylab@mend.io", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-08-17T15:15:08.040", "references": [{"source": "vulnerabilitylab@mend.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Dolibarr/dolibarr/commit/87f9530272925f0d651f59337a35661faeb6f377"}, {"source": "vulnerabilitylab@mend.io", "tags": ["Third Party Advisory"], "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25957"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Dolibarr/dolibarr/commit/87f9530272925f0d651f59337a35661faeb6f377"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25957"}], "sourceIdentifier": "vulnerabilitylab@mend.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-640"}], "source": "vulnerabilitylab@mend.io", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-640"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}