Vulnerability identifier: #VU93706
Vulnerability risk: High
CVSSv3.1: 8.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-307
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
wger
Client/Desktop applications /
Other client software
Vendor: wger Project
Description
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to improper restriction of excessive authentication attempts. A remote attacker can guess valid usernames and corresponding passwords.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
wger: 1.0 - 2.1
External links
http://huntr.dev/bounties/f0d85efa-4e78-4b1d-848f-edea115af64b
http://github.com/wger-project/wger/commit/5e3167e3a2dc95836fa2607fe201524c031a2c4c
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.