CVE-2023-37756

moderate-risk
Published 2023-09-14

I-doit pro 25 and below and I-doit open 25 and below employ weak password requirements for Administrator account creation. Attackers are able to easily guess users' passwords via a bruteforce attack.

Do I need to act?

~
6.6% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (2)

I-Doit
I-Doit

Affected Vendors

I-Doit

References (4)

Exploit https://github.com/leekenghwa/CVE-2023-37756-CWE-521-lead-to-malicious-plugin-up...
https://medium.com/%40ray.999/idoit-pro-v25-and-below-weak-password-add-on-uploa...
Exploit https://github.com/leekenghwa/CVE-2023-37756-CWE-521-lead-to-malicious-plugin-up...
https://medium.com/%40ray.999/idoit-pro-v25-and-below-weak-password-add-on-uploa...
48
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 9/34 · Low
Exposure 7/34 · Low