← Back

CVE-2017-17097

nvd nist
Published: Jan 2, 2018Modified: Nov 21, 2024

JSON object

Loading...
9.8
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: NVD

Description

gps-server.net GPS Tracking Software (self hosted) 2.x has a password reset procedure that immediately resets passwords upon an unauthenticated request, and then sends e-mail with a predictable (date-based) password to the admin, which makes it easier for remote attackers to obtain access by predicting this new password. This is related to the use of gmdate for password creation in fn_connect.php.

Affected (33)

Gps Server
1 product
Gps Tracking Software
Configuration A
33 vulnerable
Vulnerable SoftwareAffected Versions
Gps Server
Gps Tracking Software
Version 2.1.1
Gps Tracking Software
Version 2.1.2
Gps Tracking Software
Version 2.1.3
Gps Tracking Software
Version 2.1.4
Gps Tracking Software
Version 2.1.5
Gps Tracking Software
Version 2.1.6
Gps Tracking Software
Version 2.1.7
Gps Tracking Software
Version 2.1.8
Gps Tracking Software
Version 2.1.9
Gps Tracking Software
Version 2.2.1
Gps Tracking Software
Version 2.2.2
Gps Tracking Software
Version 2.2.5
Gps Tracking Software
Version 2.2.7
Gps Tracking Software
Version 2.2
Gps Tracking Software
Version 2.3.2
Gps Tracking Software
Version 2.3.5
Gps Tracking Software
Version 2.3
Gps Tracking Software
Version 2.4.5
Gps Tracking Software
Version 2.4
Gps Tracking Software
Version 2.5.5
Gps Tracking Software
Version 2.5.7
Gps Tracking Software
Version 2.5.8
Gps Tracking Software
Version 2.5.9
Gps Tracking Software
Version 2.5
Gps Tracking Software
Version 2.6
Gps Tracking Software
Version 2.7
Gps Tracking Software
Version 2.8.5
Gps Tracking Software
Version 2.8
Gps Tracking Software
Version 2.9.1
Gps Tracking Software
Version 2.9.2
Gps Tracking Software
Version 2.9.5
Gps Tracking Software
Version 2.9.6
Gps Tracking Software
Version 2.9

Related CWEs

CWE-640
Weak Password Recovery Mechanism for Forgotten Password
The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

References (6)

Source: cve@mitre.org
PatchThird Party Advisory
Source: cve@mitre.org
Release NotesVendor Advisory
Source: cve@mitre.org
ExploitThird Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Release NotesVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitThird Party AdvisoryVDB Entry

Timeline

No history available yet.