CVE-2021-44692 - OpenCVE

BuddyBoss Platform through 1.8.0 allows remote attackers to obtain the email address of each user. When creating a new user, it generates a Unique ID for their profile. This UID is their private email address with symbols removed and periods replaced with hyphens. For example. JohnDoe@example.com would become /members/johndoeexample-com and Jo.test@example.com would become /members/jo-testexample-com. The members list is available to everyone and (in a default configuration) often without authentication. It is therefore trivial to collect a list of email addresses.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Buddyboss	Buddyboss

Configuration 1 [-]

cpe:2.3:a:buddyboss:buddyboss:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.buddyboss.com/resources/buddyboss-platform-releases/
https://www.cygenta.co.uk/post/buddyboss

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-01-26T15:35:57

Updated: 2024-08-04T04:25:16.960Z

Reserved: 2021-12-06T00:00:00

Link: CVE-2021-44692

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-01-26T16:15:07.570

Modified: 2022-02-02T15:57:59.923

Link: CVE-2021-44692

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "BuddyBoss Platform through 1.8.0 allows remote attackers to obtain the email address of each user. When creating a new user, it generates a Unique ID for their profile. This UID is their private email address with symbols removed and periods replaced with hyphens. For example. JohnDoe@example.com would become /members/johndoeexample-com and Jo.test@example.com would become /members/jo-testexample-com. The members list is available to everyone and (in a default configuration) often without authentication. It is therefore trivial to collect a list of email addresses."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-01-26T15:35:57", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.buddyboss.com/resources/buddyboss-platform-releases/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.cygenta.co.uk/post/buddyboss"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-44692", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "BuddyBoss Platform through 1.8.0 allows remote attackers to obtain the email address of each user. When creating a new user, it generates a Unique ID for their profile. This UID is their private email address with symbols removed and periods replaced with hyphens. For example. JohnDoe@example.com would become /members/johndoeexample-com and Jo.test@example.com would become /members/jo-testexample-com. The members list is available to everyone and (in a default configuration) often without authentication. It is therefore trivial to collect a list of email addresses."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.buddyboss.com/resources/buddyboss-platform-releases/", "refsource": "MISC", "url": "https://www.buddyboss.com/resources/buddyboss-platform-releases/"}, {"name": "https://www.cygenta.co.uk/post/buddyboss", "refsource": "MISC", "url": "https://www.cygenta.co.uk/post/buddyboss"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T04:25:16.960Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.buddyboss.com/resources/buddyboss-platform-releases/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.cygenta.co.uk/post/buddyboss"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-44692", "datePublished": "2022-01-26T15:35:57", "dateReserved": "2021-12-06T00:00:00", "dateUpdated": "2024-08-04T04:25:16.960Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:buddyboss:buddyboss:*:*:*:*:*:*:*:*", "matchCriteriaId": "F6C71BB4-0D91-4902-A832-3FB3EE3C2C31", "versionEndIncluding": "1.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "BuddyBoss Platform through 1.8.0 allows remote attackers to obtain the email address of each user. When creating a new user, it generates a Unique ID for their profile. This UID is their private email address with symbols removed and periods replaced with hyphens. For example. JohnDoe@example.com would become /members/johndoeexample-com and Jo.test@example.com would become /members/jo-testexample-com. The members list is available to everyone and (in a default configuration) often without authentication. It is therefore trivial to collect a list of email addresses."}, {"lang": "es", "value": "La plataforma BuddyBoss versiones hasta 1.8.0, permite a atacantes remotos obtener la direcci\u00f3n de correo electr\u00f3nico de cada usuario. Cuando es creado un nuevo usuario, es generado un ID \u00fanico para su perfil. Este UID es su direcci\u00f3n de correo electr\u00f3nico privada con los s\u00edmbolos eliminados y los puntos sustituidos por guiones. Por ejemplo. JohnDoe@example.com podr\u00eda ser convertido en /members/johndoeexample-com y Jo.test@example.com en /members/jo-testexample-com. La lista de miembros est\u00e1 disponible para todos y (en una configuraci\u00f3n por defecto) a menudo sin autenticaci\u00f3n. Por lo tanto, es trivial recopilar una lista de direcciones de correo electr\u00f3nico"}], "id": "CVE-2021-44692", "lastModified": "2022-02-02T15:57:59.923", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-01-26T16:15:07.570", "references": [{"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.buddyboss.com/resources/buddyboss-platform-releases/"}, {"source": "cve@mitre.org", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://www.cygenta.co.uk/post/buddyboss"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}