PT-2009-1993 · Openinvoice · Openinvoice

T0Pp8Uzz

Published

2009-03-25

Updated

2017-09-29

CVE-2008-6523

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions openInvoice versions 0.90 beta and earlier

Description The issue allows remote attackers to bypass authentication and gain privileges by setting the oiauth cookie. This can be combined with a separate vulnerability in resetpass.php to modify passwords for arbitrary users.

Recommendations For openInvoice versions 0.90 beta and earlier, consider disabling the authentication mechanism that uses the oiauth cookie until a patch is available. Restrict access to the resetpass.php file to minimize the risk of exploitation. Avoid using the oiauth cookie for authentication purposes until the issue is resolved.

Exploit

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

CVE-2008-6523

Affected Products

Openinvoice

PT-2009-1993 · Openinvoice · Openinvoice

CVE-2008-6523

Weakness Enumeration

Related Identifiers

Affected Products

References · 4