Gophish
CVE-2020-24711
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionNVD
The Reset button on the Account Settings page in Gophish before 0.11.0 allows attackers to cause a denial of service via a clickjacking attack
AnalysisAI
The Reset button on the Account Settings page in Gophish before 0.11.0 allows attackers to cause a denial of service via a clickjacking attack. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified under CWE-1021. The Reset button on the Account Settings page in Gophish before 0.11.0 allows attackers to cause a denial of service via a clickjacking attack Affected products include: Getgophish Gophish. Version information: before 0.11.0.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Gophish before 0.11.0 allows the creation of CSV sheets that contain malicious content. Rated high severity (CVSS 7.8),
Gophish <=0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived
Gophish through 0.10.1 does not invalidate the gophish cookie upon logout. Rated high severity (CVSS 7.5), this vulnerab
Memory exhaustion denial of service in Gophish through 0.12.1 allows authenticated low-privilege users to crash the phis
This affects the package github.com/gophish/gophish before 0.12.0. Rated medium severity (CVSS 5.4), this vulnerability
Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the IMAP Host field on the account settings page.
Cross Site Scripting (XSS) vulnerability in Gophish through 0.10.1 via a crafted landing page or email template. Rated m
Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the Host field on the send profile form. Rated med
Gophish before 0.11.0 allows SSRF attacks. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable,
Cross-Site Scripting stored vulnerability in Gophish affecting version 0.12.1. Rated medium severity (CVSS 6.1), this vu
Gophish through 0.8.0 allows XSS via a username. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploi
Share
External POC / Exploit Code
Leaving vuln.today