CVE-2019-15929
9.8
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: NVD
Description
In Craft CMS through 3.1.7, the elevated session password prompt was not being rate limited like normal login forms, leading to the possibility of a brute force attempt on them.
Affected (1)
References (4)
Source: cve@mitre.org
Third Party Advisory
Source: cve@mitre.org
Release NotesThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Release NotesThird Party Advisory
Timeline (9)
11/21/20242 changes
CVE Modified - Reference
04:29 AM
- -
+ https://github.com/craftcms/cms/blob/develop/CHANGELOG-v3.md#317---2019-01-31
CVE Modified - Reference
04:29 AM
- -
+ http://packetstormsecurity.com/files/155012/Craft-CMS-Rate-Limiting-Brute-Force.html
10/30/20196 changes
Initial Analysis - CPE Configuration
01:52 PM
- -
+ OR
*cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:* versions up to (including) 3.1.7
Initial Analysis - CWE
01:52 PM
- -
+ NIST CWE-640
Initial Analysis - Reference Type
01:52 PM
- https://github.com/craftcms/cms/blob/develop/CHANGELOG-v3.md#317---2019-01-31 No Types Assigned
+ https://github.com/craftcms/cms/blob/develop/CHANGELOG-v3.md#317---2019-01-31 Release Notes, Third Party Advisory
Initial Analysis - Reference Type
01:52 PM
- http://packetstormsecurity.com/files/155012/Craft-CMS-Rate-Limiting-Brute-Force.html No Types Assigned
+ http://packetstormsecurity.com/files/155012/Craft-CMS-Rate-Limiting-Brute-Force.html Third Party Advisory
Initial Analysis - CVSS V3.1
01:52 PM
- -
+ NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Initial Analysis - CVSS V2
01:52 PM
- -
+ NIST (AV:N/AC:L/Au:N/C:P/I:N/A:N)
10/29/20191 change
CVE Modified - Reference
07:15 PM
- -
+ http://packetstormsecurity.com/files/155012/Craft-CMS-Rate-Limiting-Brute-Force.html [No Types Assigned]