Gophish
CVE-2020-24713
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
Gophish through 0.10.1 does not invalidate the gophish cookie upon logout.
AnalysisAI
Gophish through 0.10.1 does not invalidate the gophish cookie upon logout. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-613. Gophish through 0.10.1 does not invalidate the gophish cookie upon logout. Affected products include: Getgophish Gophish. Version information: through 0.10.1.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Gophish before 0.11.0 allows the creation of CSV sheets that contain malicious content. Rated high severity (CVSS 7.8),
Gophish <=0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived
Memory exhaustion denial of service in Gophish through 0.12.1 allows authenticated low-privilege users to crash the phis
The Reset button on the Account Settings page in Gophish before 0.11.0 allows attackers to cause a denial of service via
This affects the package github.com/gophish/gophish before 0.12.0. Rated medium severity (CVSS 5.4), this vulnerability
Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the IMAP Host field on the account settings page.
Cross Site Scripting (XSS) vulnerability in Gophish through 0.10.1 via a crafted landing page or email template. Rated m
Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the Host field on the send profile form. Rated med
Gophish before 0.11.0 allows SSRF attacks. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable,
Cross-Site Scripting stored vulnerability in Gophish affecting version 0.12.1. Rated medium severity (CVSS 6.1), this vu
Gophish through 0.8.0 allows XSS via a username. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploi
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today