CVE-2022-1235 – remdex/livehelperchat

Package

Manager: composer
Name: remdex/livehelperchat
Vulnerable Version: >=0 <3.96

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00091 pctl0.26745

Details

Weak password hash in LiveHelperChat The secrethash, which the application relies for multiple security measures, can be brute-forced. The hash is quite small, with only 10 characters of only hexadecimal, making 16^10 possilibities ( 1.099.511.627.776 ). The SHA1 of the secret can be obtained via a captcha string and brute-forced offline with an GPU.

Metadata

Created: 2022-04-06T00:01:31Z
Modified: 2022-04-19T18:01:53Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-vx8v-g3p3-88vg/GHSA-vx8v-g3p3-88vg.json
CWE IDs: ["CWE-916"]
Alternative ID: GHSA-vx8v-g3p3-88vg
Finding: F052
Auto approve: 1