CVE-2024-3777

Improper Access Control (CWE-284)

Published: Apr 15, 2024 / Updated: 7mo ago

010
CVSS 9.8EPSS 0.09%Critical
CVE info copied to clipboard

The password reset feature of Ai3 QbiBot lacks proper access control, allowing unauthenticated remote attackers to reset any user's password.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

CVSS

A CVSS base score of 9.8 has been assigned.

Apr 15, 2024 at 4:20 AM / nvd
First Article

Feedly found the first article mentioning CVE-2024-3777. See article

Apr 15, 2024 at 5:04 AM / Securitricks
EPSS

EPSS Score was set to: 0.04% (Percentile: 8%)

Apr 15, 2024 at 9:42 AM
EPSS

EPSS Score was set to: 0.09% (Percentile: 38.5%)

May 6, 2024 at 9:44 PM
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 14, 2024 at 8:31 AM
Static CVE Timeline Graph

Affected Systems

Ai3/qbibot
+null more

Links to Mitre Att&cks

T1546.004:
+null more

Attack Patterns

CAPEC-19: Embedding Scripts within Scripts
+null more

News

cveNotify : 🚨 CVE-2024-3777The password reset feature of Ai3 QbiBot lacks proper access control, allowing unauthenticated remote attackers to reset any user's password.🎖@cveNotify
cveNotify : 🚨 CVE-2024-3777The password reset feature of Ai3 QbiBot lacks proper access control, allowing unauthenticated remote attackers to reset any user's password.🎖@cveNotify
US-CERT Vulnerability Summary for the Week of April 15, 2024
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available. Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High : vulnerabilities with a CVSS base score of 7.0–10.0 Medium : vulnerabilities with a CVSS base score of 4.0–6.9 Low : vulnerabilities with a CVSS base score of 0.0–3.9 Entries may include additional information provided by organizations and efforts sponsored by CISA.
Vulnerability Summary for the Week of April 15, 2024
Vulnerability Summary for the Week of April 15, 2024 bjackson Apr 22, 2024 High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source & Patch Info 10web -- slider_by_10web Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 10Web Slider by 10Web allows Reflected XSS.This issue affects Slider by 10Web: from n/a through 1.2.54. 2024-04-18 7.1 CVE-2024-32578 audit@patchstack.com adam_bowen -- tax_rate_upload Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Adam Bowen Tax Rate Upload allows Reflected XSS.This issue affects Tax Rate Upload: from n/a through 2.4.5. 2024-04-17 7.1 CVE-2024-32546 audit@patchstack.com ai3_ -- qbibot_ The password reset feature of Ai3 QbiBot lacks proper access control, allowing unauthenticated remote attackers to reset any user's password. 2024-04-15 9.8 CVE-2024-3777 twcert@cert.org.tw ai3_ -- qbibot_ The file upload functionality of Ai3 QbiBot does not properly restrict types of uploaded files, allowing remote attackers with administrator privilege to upload files with dangerous type containing malicious code. 2024-04-15 7.2 CVE-2024-3778 twcert@cert.org.tw aitthemes -- citadela_listing Exposure of Sensitive Information to an Unauthorized Actor vulnerability in AitThemes Citadela Listing.This issue affects Citadela Listing: from n/a through 5.18.1. 2024-04-16 7.5 CVE-2024-32086 audit@patchstack.com akana -- community_manager_developer_portal A server-side request forgery (SSRF) was discovered in the Akana Community Manager Developer Portal in versions prior to and including 2022.1.3. Reported by Jakob Antonsson.
CVE-2024-3777 - Exploits & Severity - Feedly
A CVSS base score of 9.8 has been assigned. EPSS Score was set to: 0% (Percentile: 8%)
CVE-2024-3777
Critical Severity Description The password reset feature of Ai3 QbiBot lacks proper access control, allowing unauthenticated remote attackers to reset any user's password. Read more at https://www.tenable.com/cve/CVE-2024-3777
See 6 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI