Brute Force Vulnerability in Craft CMS by Pixel & Tonic
CVE-2019-15929

9.8CRITICAL

Key Information:

Vendor: Craftcms
Status: Craft Cms
Vendor: CVE Published:; 24 October 2019

What is CVE-2019-15929?

In Craft CMS up to version 3.1.7, the elevated session password prompt lacked proper rate limiting, which can result in unrestrained brute force attempts. This vulnerability can potentially lead to unauthorized access if exploited, allowing an attacker to guess user passwords successfully over repeated attempts. It's essential for users to upgrade to patched versions to mitigate this risk.

References

https://github.com/craftcms/cms/blob/develop/CHANGELOG-v3...

x_refsource_MISC

http://packetstormsecurity.com/files/155012/Craft-CMS-Rat...

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 24, 2019
Vulnerability Reserved
Sep 4, 2019

Craftcms

What is CVE-2019-15929?

References

CVSS V3.1

Timeline