Vulnerability Details : CVE-2023-42328
Potential exploit
An issue in PeppermintLabs Peppermint v.0.2.4 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the hardcoded session cookie.
Vulnerability category: Execute code
Products affected by CVE-2023-42328
- cpe:2.3:a:peppermint:peppermint:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-42328
5.54%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 90 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-42328
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2023-42328
-
The product contains hard-coded credentials, such as a password or cryptographic key.Assigned by: nvd@nist.gov (Primary)
References for CVE-2023-42328
-
https://blockomat2100.github.io/posts/2023-09-04-damn-vulnerable-ticket-system/
Peppermint.sh - A damn vulnerable ticketing system - blockomat's blogExploit;Third Party Advisory
-
https://peppermint.sh/
peppermint.shProduct
-
https://github.com/Peppermint-Lab/peppermint/blob/446a20b870bc68157eaafcb7275c289d76bfb29e/apps/client/pages/api/auth/%5B...nextauth%5D.js#L65
peppermint/apps/client/pages/api/auth/[...nextauth].js at 446a20b870bc68157eaafcb7275c289d76bfb29e · Peppermint-Lab/peppermint · GitHubIssue Tracking
Jump to