CVE-2021-31745 - OpenCVE

Session Fixation vulnerability in login.php in Pluck-CMS Pluck 4.7.15 allows an attacker to sustain unauthorized access to the platform. Because Pluck does not invalidate prior sessions after a password change, access can be sustained even after an administrator performs regular remediation attempts such as resetting their password.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Pluck-cms	Pluck

Configuration 1 [-]

cpe:2.3:a:pluck-cms:pluck:4.7.15:-:*:*:*:*:*:*

References

Link	Resource
https://github.com/pluck-cms/pluck/issues/99	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2021-12-10T17:40:21

Updated: 2021-12-10T17:40:21

Reserved: 2021-04-23T00:00:00

Link: CVE-2021-31745

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-12-10T18:15:07.463

Modified: 2021-12-14T17:34:46.407

Link: CVE-2021-31745

JSON object: View

Redhat Information

No data.

CWE

CWE-384

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pluck-cms:pluck:4.7.15:-:*:*:*:*:*:*", "matchCriteriaId": "5B0E653C-FAAD-43AE-A234-ED23E59BB31A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Session Fixation vulnerability in login.php in Pluck-CMS Pluck 4.7.15 allows an attacker to sustain unauthorized access to the platform. Because Pluck does not invalidate prior sessions after a password change, access can be sustained even after an administrator performs regular remediation attempts such as resetting their password."}, {"lang": "es", "value": "Una vulnerabilidad de Fijaci\u00f3n de Sesi\u00f3n en el archivo login.php en Pluck-CMS Pluck versi\u00f3n 4.7.15, permite a un atacante mantener el acceso no autorizado a la plataforma. Debido a que Pluck no invalida las sesiones anteriores despu\u00e9s de un cambio de contrase\u00f1a, el acceso puede mantenerse incluso despu\u00e9s de que un administrador lleve a cabo intentos regulares de reparaci\u00f3n, como el restablecimiento de su contrase\u00f1a"}], "id": "CVE-2021-31745", "lastModified": "2021-12-14T17:34:46.407", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-12-10T18:15:07.463", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/pluck-cms/pluck/issues/99"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-384"}], "source": "nvd@nist.gov", "type": "Primary"}]}