CVE-2020-7378

CRITICAL

Opencrx < 4.3.0 - Authentication Bypass

Title source: rule

Description

CRIXP OpenCRX version 4.30 and 5.0-20200717 and prior suffers from an unverified password change vulnerability. An attacker who is able to connect to the affected OpenCRX instance can change the password of any user, including admin-Standard, to any chosen value. This issue was resolved in version 5.0-20200904, released September 4, 2020.

Exploits (2)

nomisec WORKING POC 5 stars

by ruthvikvegunta · poc

https://github.com/ruthvikvegunta/openCRX-CVE-2020-7378

View Code ZIP pw:eip

nomisec WORKING POC

by loganpkinfosec · poc

https://github.com/loganpkinfosec/CVE-2020-7378

View Code ZIP pw:eip

References (1)

[Exploit, Third Party Advisory] https://blog.rapid7.com/2020/11/24/cve-2020-7378-opencrx-unverified-password-change/

Scores

CVSS v3 9.1

EPSS 0.0869

EPSS Percentile 92.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

CWE

CWE-620 CWE-287

Status published

Products (3)

opencrx/opencrx 5.0 20200714 (3 CPE variants)

opencrx/opencrx 5.0.0

opencrx/opencrx < 4.3.0

Published Nov 24, 2020

Tracked Since Feb 18, 2026