Overview
JetboxOne does not encrypt information in the account information database. Any user with the ability to query the database may be able to view confidential account information.
Description
JetboxOne is an open-source content management system that is written in PHP. An information disclosure vulnerability exists because JetboxOne does not encrypt account information stored in the admin (user) and webuser (standard user) tables of a MySQL database. |
Impact
Any user with the ability to query the database may be able to view confidential account information. This may lead to unauthorized access to other accounts. |
Solution
The CERT/CC is currently unaware of a practical solution to this problem. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
This vulnerability was publicly reported by y3dips.
This document was written by Jeff Gennari.
Other Information
| CVE IDs: | None |
| Severity Metric: | 0.23 |
| Date Public: | 2004-08-04 |
| Date First Published: | 2004-08-13 |
| Date Last Updated: | 2004-08-13 19:38 UTC |
| Document Revision: | 37 |