Cyber Resilience

CVE-2023-0905

HighPublic PoC

Published: 18 February 2023

Published
18 February 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0362 88.1th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-0905 is a high-severity Improper Authentication (CWE-287) vulnerability in Employee Task Management System Project Employee Task Management System. Its CVSS base score is 7.3 (High).

Operationally, ranked in the top 11.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

A critical improper authentication vulnerability, tracked as CVE-2023-0905 and assigned CWE-287, affects SourceCodester Employee Task Management System version 1.0. The flaw resides in an unauthenticated function within changePasswordForEmployee.php; manipulation of the endpoint allows attackers to bypass authentication checks entirely.

Remote attackers can exploit the issue over the network without credentials or user interaction, achieving limited control over employee password changes as reflected in the CVSS 7.3 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Public proof-of-concept code has been released, confirming the attack is practical against exposed instances.

No vendor advisory or patch information is referenced in the available sources. The associated EPSS score reached a modest peak of 0.0597 before receding to 0.0362, indicating limited and non-persistent exploitation interest after disclosure.

EU & UK References

Vulnerability details

A vulnerability classified as critical has been found in SourceCodester Employee Task Management System 1.0. Affected is an unknown function of the file changePasswordForEmployee.php. The manipulation leads to improper authentication. It is possible to launch the attack remotely. The exploit…

more

has been disclosed to the public and may be used. VDB-221454 is the identifier assigned to this vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

employee task management system project
employee task management system
1.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-287

Detects unauthorized successful logons resulting from improper authentication implementations.

addresses: CWE-287

Documented procedures ensure personnel are trained on authentication mechanisms, tangibly lowering the risk of improper authentication being exploited.

addresses: CWE-287

Security awareness training instructs users on secure authentication practices and avoiding credential compromise.

addresses: CWE-287

Training on authentication mechanisms and best practices decreases the occurrence of improper authentication.

addresses: CWE-287

Non-repudiation requires strong authentication mechanisms to irrefutably attribute performed actions to specific individuals or processes.

addresses: CWE-287

Session content review can reveal authentication bypasses or failures in session establishment.

addresses: CWE-287

Review of authentication-related audit records can detect improper authentication mechanisms or bypasses.

addresses: CWE-287

Assessments check authentication mechanisms for correct implementation and effectiveness, reducing successful authentication bypass attempts.

References