CVE-2019-16106

Published: Sep 10, 2019Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

The Recruitment module in Humanica Humatrix 7 1.0.0.203 and 1.0.0.681 allows an unauthenticated attacker to change the password of any user via the recruitment_online/personalData/act_acounttab.cfm txtNewUserName and hdNP fields.

Affected (2)

Products: Humanica: Humatrix

Humanica

1 product

Humatrix

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Humanica Humatrix	Version 1.0.0.681
Humanica Humatrix	Version 7.1.0.0.203

Related CWEs

CWE-276

Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

References (4)

https://gist.github.com/suphapholt/5bac4f5cabadfc44746e2bc93c1be91d

Source: cve@mitre.org

Third Party Advisory

https://www.humatrix7.com/sunfish5/ehrm/humanica/recruitment_online/personalData/qry_account.cfm

Source: cve@mitre.org

Broken Link

https://gist.github.com/suphapholt/5bac4f5cabadfc44746e2bc93c1be91d

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.humatrix7.com/sunfish5/ehrm/humanica/recruitment_online/personalData/qry_account.cfm

Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link

Timeline

No history available yet.