Home > Vulnerability Database > CVE-2021-25961

Mend.io Vulnerability Database

CVE-2021-25961

Date: September 29, 2021

Overview

In “SuiteCRM” application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links that is associated with a deleted user id, which makes it possible for account takeover of any newly created user with the same user id.

Details

SuiteCRM application fails to properly invalidate password reset links associated with a deleted user id, which makes it possible for account takeover of any newly created user with the same user id.

PoC Details

For demonstration purposes we'll use 2 users -
1. Ron - low privileged user
2. Admin - administrator user
Navigate to “Forgot password”, enter username as Ron and email which was configured for Ron's account.A password reset link would be received at the email address. Save the password reset link.
Now login as Admin, go to “employees” and delete the user Ron.
Now go to “admin”, “User management” and create a new user with user id Ron. Then, logout and use the saved reset password link and reset password for user Ron.
Note: In order for this POC to work, you must configure the SMTP settings.

Affected Environments

v7.1.7 - v7.10.31 and v7.11-beta - v7.11.20

Prevention

Upgrade to version v7.10.32, v7.11.21 or higher

Language: PHP

Good to know:

8.0

Weak Password Recovery Mechanism for Forgotten Password

CWE-640

Upgrade Version

Upgrade to version v7.10.32,v7.11.21

Learn More

CVSS v3.1
CVSS v2

Base Score:	8.0
Attack Vector (AV):	Network
Attack Complexity (AC):	Low
Privileges Required (PR):	Low
User Interaction (UI):	Required
Scope (S):	Unchanged
Confidentiality (C):	High
Integrity (I):	High
Availability (A):	High

Base Score:	6.0
Access Vector (AV):	Network
Access Complexity (AC):	Medium
Authentication (AU):	Single
Confidentiality (C):	Partial
Integrity (I):	Partial
Availability (A):	Partial
Additional information: