CVE-2025-1341
Published: 16 February 2025
Description
A vulnerability, which was classified as problematic, was found in PMWeb 7.2.0. This affects an unknown part of the component Setting Handler. The manipulation leads to weak password requirements. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to change the configuration settings. The vendor was contacted early about this disclosure but did not respond in any way.
Security Summary
CVE-2025-1341 is a vulnerability classified as problematic in PMWeb version 7.2.0, specifically affecting an unknown part of the Setting Handler component. It enables weak password requirements through manipulation, mapped to CWE-521. The issue carries a CVSS v3.1 base score of 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating low severity with network accessibility but high attack complexity and only low confidentiality impact.
Remote attackers require no privileges to initiate the exploit, though the high complexity makes it difficult to execute successfully. Successful exploitation allows manipulation leading to weak password requirements, potentially enabling low-level confidentiality breaches, such as access to sensitive configuration data via poorly enforced passwords.
Advisories recommend changing configuration settings as the primary mitigation, with no patches available from the vendor, who was contacted early but provided no response. The exploit has been publicly disclosed via references including VulDB entries and a Mega.nz file, and it may be usable by attackers.
Details
- CWE(s)