NVD Vulnerability Detail

CVE-2017-5594

Summary	An issue was discovered in Pagekit CMS before 1.0.11. In this vulnerability the remote attacker is able to reset the registered user's password, when the debug toolbar is enabled. The password is successfully recovered using this exploit. The SecureLayer7 ID is SL7_PGKT_01.
Publication Date	Jan. 26, 2017, 3:59 a.m.
Registration Date	Jan. 26, 2021, 1:26 p.m.
Last Update	Nov. 21, 2024, 12:27 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:pagekit:pagekit::::::::			1.0.10

Related information, measures and tools

No	URL	タグ
1	http://www.securityfocus.com/bid/95806	Third Party Advisory VDB Entry
2	http://www.securityfocus.com/bid/95806	Third Party Advisory VDB Entry
3	https://github.com/pagekit/pagekit/commit/e0454f9c037c427a5ff76a57e78dbf8cc00c268b	Patch
4	https://github.com/pagekit/pagekit/commit/e0454f9c037c427a5ff76a57e78dbf8cc00c268b	Patch
5	https://securelayer7.net/download/pdf/SecureLayer7-Pentest-report-Pagekit-CMS.pdf	Technical Description Third Party Advisory
6	https://securelayer7.net/download/pdf/SecureLayer7-Pentest-report-Pagekit-CMS.pdf	Technical Description Third Party Advisory
7	https://securelayer7.net/download/poc/password-reset-vulnerability-exploit-ruby-pagekit-cms.rb.txt	Exploit Third Party Advisory
8	https://securelayer7.net/download/poc/password-reset-vulnerability-exploit-ruby-pagekit-cms.rb.txt	Exploit Third Party Advisory
9	https://www.exploit-db.com/exploits/41143/	Exploit Third Party Advisory VDB Entry
10	https://www.exploit-db.com/exploits/41143/	Exploit Third Party Advisory VDB Entry

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-640	パスワードを忘れた場合の脆弱なパスワードリカバリの仕組み	https://cwe.mitre.org/data/definitions/640.html

JVN Vulnerability Information

Pagekit CMS における登録ユーザのパスワードをリセットされる脆弱性

Title	Pagekit CMS における登録ユーザのパスワードをリセットされる脆弱性
Summary	Pagekit CMS には、デバッグツールバーが有効な場合、登録ユーザのパスワードをリセットされる脆弱性が存在します。
Possible impacts	リモートの攻撃者により、登録ユーザのパスワードをリセットされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Jan. 20, 2017, midnight
Registration Date	Feb. 9, 2017, 2:15 p.m.
Last Update	Feb. 9, 2017, 2:15 p.m.

Affected System

YOOtheme

Pagekit 1.0.11 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2017-5594	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5594
National Vulnerability Database (NVD)
2	CVE-2017-5594	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5594

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-640	https://cwe.mitre.org/data/definitions/640.html

ベンダー情報

No	Name	URL
GitHub
1	Merge branch 'release/1.0.11'	https://github.com/pagekit/pagekit/commit/e0454f9c037c427a5ff76a57e78dbf8cc00c268b

その他

No	Name	URL
関連文書
1	Pentest Report - Pagekit 01-2017 (SL7_PGKT_01)	https://securelayer7.net/download/pdf/SecureLayer7-Pentest-report-Pagekit-CMS.pdf

Change Log

No	Changed Details	Date of change
0	[2017年02月09日] 掲載	Feb. 17, 2018, 10:37 a.m.