Vulnerability Details : CVE-2022-24865
HumHub is an Open Source Enterprise Social Network. In affected versions users who are forced to change their password by an administrator may retrieve other users' data. This issue has been resolved by commit `eb83de20`. It is recommended that the HumHub is upgraded to 1.11.0, 1.10.4 or 1.9.4. There are no known workarounds for this issue.
Vulnerability category: Information leak
Products affected by CVE-2022-24865
- cpe:2.3:a:humhub:humhub:*:*:*:*:*:*:*:*
- cpe:2.3:a:humhub:humhub:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-24865
0.15%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 51 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-24865
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:N/A:N |
8.0
|
2.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2022-24865
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: security-advisories@github.com (Secondary)
-
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-24865
-
https://github.com/humhub/humhub/commit/eb83de20aaecc559ab77a44a6179646a99607e33
Fix must change password (#5638) · humhub/humhub@eb83de2 · GitHubPatch;Third Party Advisory
-
https://github.com/humhub/humhub/security/advisories/GHSA-2h35-f226-3f57
Improper access control when user is forced to change password · Advisory · humhub/humhub · GitHubThird Party Advisory
-
https://huntr.dev/bounties/89d996a2-de30-4261-8e3f-98e54cb25f76/
Improper access control could make any user export all user of website vulnerability found in humhubExploit;Patch;Third Party Advisory
Jump to