CVE-2023-0905
Published: 18 February 2023
Summary
CVE-2023-0905 is a high-severity Improper Authentication (CWE-287) vulnerability in Employee Task Management System Project Employee Task Management System. Its CVSS base score is 7.3 (High).
Operationally, ranked in the top 11.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A critical improper authentication vulnerability, tracked as CVE-2023-0905 and assigned CWE-287, affects SourceCodester Employee Task Management System version 1.0. The flaw resides in an unauthenticated function within changePasswordForEmployee.php; manipulation of the endpoint allows attackers to bypass authentication checks entirely.
Remote attackers can exploit the issue over the network without credentials or user interaction, achieving limited control over employee password changes as reflected in the CVSS 7.3 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Public proof-of-concept code has been released, confirming the attack is practical against exposed instances.
No vendor advisory or patch information is referenced in the available sources. The associated EPSS score reached a modest peak of 0.0597 before receding to 0.0362, indicating limited and non-persistent exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-12893
Vulnerability details
A vulnerability classified as critical has been found in SourceCodester Employee Task Management System 1.0. Affected is an unknown function of the file changePasswordForEmployee.php. The manipulation leads to improper authentication. It is possible to launch the attack remotely. The exploit…
more
has been disclosed to the public and may be used. VDB-221454 is the identifier assigned to this vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Detects unauthorized successful logons resulting from improper authentication implementations.
Documented procedures ensure personnel are trained on authentication mechanisms, tangibly lowering the risk of improper authentication being exploited.
Security awareness training instructs users on secure authentication practices and avoiding credential compromise.
Training on authentication mechanisms and best practices decreases the occurrence of improper authentication.
Non-repudiation requires strong authentication mechanisms to irrefutably attribute performed actions to specific individuals or processes.
Session content review can reveal authentication bypasses or failures in session establishment.
Review of authentication-related audit records can detect improper authentication mechanisms or bypasses.
Assessments check authentication mechanisms for correct implementation and effectiveness, reducing successful authentication bypass attempts.