CVE-2021-44692 - Vulnerability Details - OpenCVE

ReportizFlow

BuddyBoss Platform through 1.8.0 allows remote attackers to obtain the email address of each user. When creating a new user, it generates a Unique ID for their profile. This UID is their private email address with symbols removed and periods replaced with hyphens. For example. [email protected] would become /members/johndoeexample-com and [email protected] would become /members/jo-testexample-com. The members list is available to everyone and (in a default configuration) often without authentication. It is therefore trivial to collect a list of email addresses.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Buddyboss	Buddyboss

Configuration 1 [-]

cpe:2.3:a:buddyboss:buddyboss:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.buddyboss.com/resources/buddyboss-platform-releases/
https://www.cygenta.co.uk/post/buddyboss

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-01-26T15:35:57

Updated: 2024-08-04T04:25:16.960Z

Reserved: 2021-12-06T00:00:00

Link: CVE-2021-44692

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-01-26T16:15:07.570

Modified: 2024-11-21T06:31:23.183

Link: CVE-2021-44692

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "BuddyBoss Platform through 1.8.0 allows remote attackers to obtain the email address of each user. When creating a new user, it generates a Unique ID for their profile. This UID is their private email address with symbols removed and periods replaced with hyphens. For example. [email protected] would become /members/johndoeexample-com and [email protected] would become /members/jo-testexample-com. The members list is available to everyone and (in a default configuration) often without authentication. It is therefore trivial to collect a list of email addresses."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-01-26T15:35:57", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.buddyboss.com/resources/buddyboss-platform-releases/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.cygenta.co.uk/post/buddyboss"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "[email protected]", "ID": "CVE-2021-44692", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "BuddyBoss Platform through 1.8.0 allows remote attackers to obtain the email address of each user. When creating a new user, it generates a Unique ID for their profile. This UID is their private email address with symbols removed and periods replaced with hyphens. For example. [email protected] would become /members/johndoeexample-com and [email protected] would become /members/jo-testexample-com. The members list is available to everyone and (in a default configuration) often without authentication. It is therefore trivial to collect a list of email addresses."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.buddyboss.com/resources/buddyboss-platform-releases/", "refsource": "MISC", "url": "https://www.buddyboss.com/resources/buddyboss-platform-releases/"}, {"name": "https://www.cygenta.co.uk/post/buddyboss", "refsource": "MISC", "url": "https://www.cygenta.co.uk/post/buddyboss"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T04:25:16.960Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.buddyboss.com/resources/buddyboss-platform-releases/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.cygenta.co.uk/post/buddyboss"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-44692", "datePublished": "2022-01-26T15:35:57", "dateReserved": "2021-12-06T00:00:00", "dateUpdated": "2024-08-04T04:25:16.960Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:buddyboss:buddyboss:*:*:*:*:*:*:*:*", "matchCriteriaId": "F6C71BB4-0D91-4902-A832-3FB3EE3C2C31", "versionEndIncluding": "1.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "BuddyBoss Platform through 1.8.0 allows remote attackers to obtain the email address of each user. When creating a new user, it generates a Unique ID for their profile. This UID is their private email address with symbols removed and periods replaced with hyphens. For example. [email protected] would become /members/johndoeexample-com and [email protected] would become /members/jo-testexample-com. The members list is available to everyone and (in a default configuration) often without authentication. It is therefore trivial to collect a list of email addresses."}, {"lang": "es", "value": "La plataforma BuddyBoss versiones hasta 1.8.0, permite a atacantes remotos obtener la direcci\u00f3n de correo electr\u00f3nico de cada usuario. Cuando es creado un nuevo usuario, es generado un ID \u00fanico para su perfil. Este UID es su direcci\u00f3n de correo electr\u00f3nico privada con los s\u00edmbolos eliminados y los puntos sustituidos por guiones. Por ejemplo. [email protected] podr\u00eda ser convertido en /members/johndoeexample-com y [email protected] en /members/jo-testexample-com. La lista de miembros est\u00e1 disponible para todos y (en una configuraci\u00f3n por defecto) a menudo sin autenticaci\u00f3n. Por lo tanto, es trivial recopilar una lista de direcciones de correo electr\u00f3nico"}], "id": "CVE-2021-44692", "lastModified": "2024-11-21T06:31:23.183", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "[email protected]", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "[email protected]", "type": "Primary"}]}, "published": "2022-01-26T16:15:07.570", "references": [{"source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.buddyboss.com/resources/buddyboss-platform-releases/"}, {"source": "[email protected]", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://www.cygenta.co.uk/post/buddyboss"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.buddyboss.com/resources/buddyboss-platform-releases/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://www.cygenta.co.uk/post/buddyboss"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "[email protected]", "type": "Primary"}]}