CSRF Vulnerability in NukeViet 4.4 Admin Interface Affects User Passwords
CVE-2020-13157

6.5MEDIUM

Key Information:

Vendor: Nukeviet
Status: Nukeviet
Vendor: CVE Published:; 23 June 2020

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2020-13157?

The NukeViet 4.4 platform contains a Cross-Site Request Forgery (CSRF) vulnerability in the modules/users/admin/edit.php file. This flaw allows unauthorized users to change a user’s password without requiring the old password. An attacker could leverage this vulnerability by crafting a malicious link that, when accessed, would change the victim's password without their consent, potentially locking them out of their account.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2020-13157 - Proof of Concept

References

https://nukeviet.vn/en/

x_refsource_MISC

https://www.exploit-db.com/exploits/48489

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 23, 2020
👾
Exploit known to exist
Jun 23, 2020
Vulnerability published
Jun 23, 2020
Vulnerability Reserved
May 18, 2020

CVE-2020-13157 Data

JSON

Nukeviet

Badges

What is CVE-2020-13157?

Exploit Proof of Concept (PoC)

References

CVSS V3.1

Timeline