CVE-2019-7648 : controller/fetchpwd.php and controller/doAction.php in Hotels

controller/fetchpwd.php and controller/doAction.php in Hotels_Server through 2018-11-05 rely on base64 in an attempt to protect password storage.

Published 2019-02-08 17:29:00

Updated 2020-08-24 17:37:01

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2019-7648

Hotels Server Project » Hotels Server
Versions up to, including, (<=) 2018-11-05
cpe:2.3:a:hotels_server_project:hotels_server:*:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

0.15%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 32 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:P/I:N/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
7.5	HIGH	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE-326 Inadequate Encryption Strength

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

Assigned by: nvd@nist.gov (Primary)

https://github.com/FantasticLBP/Hotels_Server/issues/2

Using of BASE64 Encoding for storage of password and retrieval of password · Issue #2 · FantasticLBP/Hotels_Server · GitHub
Exploit;Third Party Advisory

Jump to