CVE-2023-31123

CRITICAL

effectindex/tripreporter < 2023-04-30 - Improper Password Verification

Title source: llm

Description

`effectindex/tripreporter` is a community-powered, universal platform for submitting and analyzing trip reports. Prior to commit bd80ba833b9023d39ca22e29874296c8729dd53b, any user with an account on an instance of `effectindex/tripreporter`, e.g. `subjective.report`, may be affected by an improper password verification vulnerability. The vulnerability allows any user with a password matching the password requirements to log in as any user. This allows access to accounts / data loss of the user. This issue is patched in commit bd80ba833b9023d39ca22e29874296c8729dd53b. No action necessary for users of `subjective.report`, and anyone running their own instance should update to this commit or newer as soon as possible. As a workaround, someone running their own instance may apply the patch manually.

References (2)

Core 2

Core References

Patch, Vendor Advisory x_refsource_confirm

https://github.com/effectindex/tripreporter/security/advisories/GHSA-356r-rwp8-h6m6

Patch x_refsource_misc

https://github.com/effectindex/tripreporter/commit/bd80ba833b9023d39ca22e29874296c8729dd53b

View Patch ZIP pw:eip

Scores

CVSS v3 9.1

EPSS 0.0065

EPSS Percentile 46.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-287

Status published

Products (1)

effectindex/tripreporter < 2023-04-30

Published May 08, 2023

Tracked Since Feb 18, 2026