CVE-2021-25961

Published: Sep 29, 2021Modified: Nov 21, 2024

8.0

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.1 / Impact: 5.9

Source: NVD

Description

In “SuiteCRM” application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links that is associated with a deleted user id, which makes it possible for account takeover of any newly created user with the same user id.

Affected (2)

Products: Salesagility: Suitecrm

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Salesagility Suitecrm	From 7.1.7 to 7.10.32
Salesagility Suitecrm	From 7.11.0 to 7.11.21

Related CWEs

Weak Password Recovery Mechanism for Forgotten Password

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

References (6)

https://github.com/salesagility/SuiteCRM/commit/7124482fe07ee164923d974456ed31e45f65e513

Source: vulnerabilitylab@mend.io

PatchThird Party Advisory

https://github.com/salesagility/SuiteCRM/commit/f463031bee59676d7d5be53bb32d551cd70a5648

Source: vulnerabilitylab@mend.io

PatchThird Party Advisory

https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25961

Source: vulnerabilitylab@mend.io

Third Party Advisory

https://github.com/salesagility/SuiteCRM/commit/7124482fe07ee164923d974456ed31e45f65e513

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/salesagility/SuiteCRM/commit/f463031bee59676d7d5be53bb32d551cd70a5648

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25961

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.