# Exploit Title : Craft CMS up to 3.1.7 Password Prompt Form Lockout weak authentication
# Author [Discovered By] : Mohammed Abdul Raheem
# Author's [Company Name] : TrekShield IT Solution Private Limited
# Author [Exploit-db] : https://www.exploit-db.com/?author=9783
# Found Vulnerability On : 16-01-2019
# Vendor Homepage:https://craftcms.com/
# Software Information Link: https://github.com/craftcms/demo
# Software Affected Versions : CraftCms upto v3.1.7
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type : No Rate Limit implemented on Sensitive Actions
# CVE : CVE-2019-15929
####################################################################

# Description about Software :
***************************
Craft is a flexible, user-friendly CMS for creating custom digital
experiences on the web and beyond.

####################################################################

# Vulnerability Description :
*****************************

In CraftCMS upto v3.1.7 the elevated session password prompt was not
being rate limited like normal login forms, all the sensitive actions
were Rate Limited but forgot to implement Rate Limit Protection on
Form Change Password leading to the possibility of a brute force
attempt on them to guess password.


# Impact :
***********
This is going to have an impact on confidentiality. An attacker have
the possibilities to change accounts password with Brute Force Attack.

# Steps To Validate :
*********************

1. Login to CraftCMS account.
2. Go to* https://demo.craftcms.com/
<https://demo.craftcms.com/>*<Token-Here>/s/admin/myacco
unt/
3. Enter New Password and click save
4. Application will ask to enter Current Password.
5. Enter random Password and capture the request with Burp > send to
intruder > start attack with payloads you want.

# ATTACHED POC :
****************

[image: image.png]

# More Information Can be find here :
*************************************
https://github.com/craftcms/cms/blob/develop/CHANGELOG-v3.md#security-5

###################################################################

# Discovered By Mohammed Abdul Raheem from TrekShield.com