{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-12310", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2025-10-26T17:15:36.557Z", "datePublished": "2025-10-27T19:32:05.375Z", "dateUpdated": "2025-10-27T20:27:37.336Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2025-10-27T19:32:05.375Z"}, "title": "VirtFusion Email Change _settings excessive authentication", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-307", "lang": "en", "description": "Improper Restriction of Excessive Authentication Attempts"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-799", "lang": "en", "description": "Improper Control of Interaction Frequency"}]}], "affected": [{"vendor": "n/a", "product": "VirtFusion", "versions": [{"version": "6.0.0", "status": "affected"}, {"version": "6.0.1", "status": "affected"}, {"version": "6.0.2", "status": "affected"}], "modules": ["Email Change Handler"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in VirtFusion up to 6.0.2. This vulnerability affects unknown code of the file /account/_settings of the component Email Change Handler. The manipulation leads to improper restriction of excessive authentication attempts. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "de", "value": "In VirtFusion up to 6.0.2 wurde eine Schwachstelle gefunden. Hiervon betroffen ist ein unbekannter Codeblock der Datei /account/_settings der Komponente Email Change Handler. Mit der Manipulation mit unbekannten Daten kann eine improper restriction of excessive authentication attempts-Schwachstelle ausgenutzt werden. Ein Angriff ist aus der Distanz m\u00f6glich. Die Schwachstelle wurde \u00f6ffentlich offengelegt und k\u00f6nnte ausgenutzt werden."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2025-10-26T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2025-10-26T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2025-10-26T18:20:39.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "0xfun (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.329982", "name": "VDB-329982 | VirtFusion Email Change _settings excessive authentication", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/?ctiid.329982", "name": "VDB-329982 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.676825", "name": "Submit #676825 | VirtFusion Ltd. VirtFusion 6.0.2 Authentication / Broken Authentication (Brute-forceable OTP / Mi", "tags": ["third-party-advisory"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-27T20:26:53.714275Z", "id": "CVE-2025-12310", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-27T20:27:37.336Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12310", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-27T20:26:53.714275Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-27T20:27:31.977Z"}}], "cna": {"title": "VirtFusion Email Change _settings excessive authentication", "credits": [{"lang": "en", "type": "reporter", "value": "0xfun (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "n/a", "modules": ["Email Change Handler"], "product": "VirtFusion", "versions": [{"status": "affected", "version": "6.0.0"}, {"status": "affected", "version": "6.0.1"}, {"status": "affected", "version": "6.0.2"}]}], "timeline": [{"lang": "en", "time": "2025-10-26T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2025-10-26T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2025-10-26T18:20:39.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.329982", "name": "VDB-329982 | VirtFusion Email Change _settings excessive authentication", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/?ctiid.329982", "name": "VDB-329982 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.676825", "name": "Submit #676825 | VirtFusion Ltd. VirtFusion 6.0.2 Authentication / Broken Authentication (Brute-forceable OTP / Mi", "tags": ["third-party-advisory"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in VirtFusion up to 6.0.2. This vulnerability affects unknown code of the file /account/_settings of the component Email Change Handler. The manipulation leads to improper restriction of excessive authentication attempts. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "de", "value": "In VirtFusion up to 6.0.2 wurde eine Schwachstelle gefunden. Hiervon betroffen ist ein unbekannter Codeblock der Datei /account/_settings der Komponente Email Change Handler. Mit der Manipulation mit unbekannten Daten kann eine improper restriction of excessive authentication attempts-Schwachstelle ausgenutzt werden. Ein Angriff ist aus der Distanz m\u00f6glich. Die Schwachstelle wurde \u00f6ffentlich offengelegt und k\u00f6nnte ausgenutzt werden."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-307", "description": "Improper Restriction of Excessive Authentication Attempts"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-799", "description": "Improper Control of Interaction Frequency"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2025-10-27T19:32:05.375Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12310", "state": "PUBLISHED", "dateUpdated": "2025-10-27T20:27:37.336Z", "dateReserved": "2025-10-26T17:15:36.557Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2025-10-27T19:32:05.375Z", "assignerShortName": "VulDB"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in VirtFusion up to 6.0.2. This vulnerability affects unknown code of the file /account/_settings of the component Email Change Handler. The manipulation leads to improper restriction of excessive authentication attempts. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2025-12310", "lastModified": "2025-10-27T20:15:51.943", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2025-10-27T20:15:51.943", "references": [{"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.329982"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.329982"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.676825"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-307"}, {"lang": "en", "value": "CWE-799"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{}