CVE-2008-5221 - OpenCVE

The account_save action in admin/userinfo.php in wPortfolio 0.3 and earlier does not require authentication and does not require knowledge of the original password, which allows remote attackers to change the admin account password via modified password and password_retype parameters.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Wportfolio	Wportfolio

Configuration 1 [-]

OR	cpe:2.3:a:wportfolio:wportfolio::::::::
	cpe:2.3:a:wportfolio:wportfolio:0.2:::::::*

No data.

References

Link	Providers
http://securityreason.com/securityalert/4631
http://www.securityfocus.com/bid/32384
http://www.vupen.com/english/advisories/2008/3219
https://exchange.xforce.ibmcloud.com/vulnerabilities/46772
https://www.exploit-db.com/exploits/7170

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2008-11-25T18:09:00

Updated: 2024-08-07T10:49:11.835Z

Reserved: 2008-11-25T00:00:00

Link: CVE-2008-5221

Vulnrichment

No data.

NVD

Status : Modified

Published: 2008-11-25T18:30:00.500

Modified: 2017-09-29T01:32:31.760

Link: CVE-2008-5221

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2008-11-20T00:00:00", "descriptions": [{"lang": "en", "value": "The account_save action in admin/userinfo.php in wPortfolio 0.3 and earlier does not require authentication and does not require knowledge of the original password, which allows remote attackers to change the admin account password via modified password and password_retype parameters."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-09-28T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "4631", "tags": ["third-party-advisory", "x_refsource_SREASON"], "url": "http://securityreason.com/securityalert/4631"}, {"name": "7170", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/7170"}, {"name": "ADV-2008-3219", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2008/3219"}, {"name": "wportfolio-userinfo-security-bypass(46772)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46772"}, {"name": "32384", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/32384"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2008-5221", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The account_save action in admin/userinfo.php in wPortfolio 0.3 and earlier does not require authentication and does not require knowledge of the original password, which allows remote attackers to change the admin account password via modified password and password_retype parameters."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "4631", "refsource": "SREASON", "url": "http://securityreason.com/securityalert/4631"}, {"name": "7170", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/7170"}, {"name": "ADV-2008-3219", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2008/3219"}, {"name": "wportfolio-userinfo-security-bypass(46772)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46772"}, {"name": "32384", "refsource": "BID", "url": "http://www.securityfocus.com/bid/32384"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T10:49:11.835Z"}, "title": "CVE Program Container", "references": [{"name": "4631", "tags": ["third-party-advisory", "x_refsource_SREASON", "x_transferred"], "url": "http://securityreason.com/securityalert/4631"}, {"name": "7170", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "https://www.exploit-db.com/exploits/7170"}, {"name": "ADV-2008-3219", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2008/3219"}, {"name": "wportfolio-userinfo-security-bypass(46772)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46772"}, {"name": "32384", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/32384"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2008-5221", "datePublished": "2008-11-25T18:09:00", "dateReserved": "2008-11-25T00:00:00", "dateUpdated": "2024-08-07T10:49:11.835Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wportfolio:wportfolio:*:*:*:*:*:*:*:*", "matchCriteriaId": "D647BB0C-AB05-4D4F-BEE8-582E2977099B", "versionEndIncluding": "0.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:wportfolio:wportfolio:0.2:*:*:*:*:*:*:*", "matchCriteriaId": "ACA56D50-DDD6-42A9-A3EA-4F8278A32319", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The account_save action in admin/userinfo.php in wPortfolio 0.3 and earlier does not require authentication and does not require knowledge of the original password, which allows remote attackers to change the admin account password via modified password and password_retype parameters."}, {"lang": "es", "value": "La accion account_save en admin/userinfo.php en wPortfolio v0.3 y anteriores no necesita autenticaci\u00f3n a no es necesario conocer la contrase\u00f1a original, lo que permite a usuarios remotos cambiar la contrase\u00f1a de la cuenta de administrador a trav\u00e9s de los par\u00e1metros modificados \"password\" (contrase\u00f1a) y \"password_retype\" (reescribir contrase\u00f1a)."}], "id": "CVE-2008-5221", "lastModified": "2017-09-29T01:32:31.760", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": true, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2008-11-25T18:30:00.500", "references": [{"source": "cve@mitre.org", "url": "http://securityreason.com/securityalert/4631"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.securityfocus.com/bid/32384"}, {"source": "cve@mitre.org", "url": "http://www.vupen.com/english/advisories/2008/3219"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46772"}, {"source": "cve@mitre.org", "url": "https://www.exploit-db.com/exploits/7170"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}