Skip to main content

Mangati NovoSGA CVE-2025-11322

LOW
Weak Password Requirements (CWE-521)
2025-10-06 cna@vuldb.com
2.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.9 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 02:00 vuln.today

DescriptionCVE.org

A flaw has been found in Mangati NovoSGA up to 2.2.12. The impacted element is an unknown function of the file /novosga.users/new of the component User Creation Page. Executing manipulation of the argument Senha/Confirmação da senha can lead to weak password requirements. The attack can be launched remotely. Attacks of this nature are highly complex. The exploitability is regarded as difficult. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Weak password requirements in Mangati NovoSGA up to version 2.2.12 allow remote attackers to bypass password policy validation during user account creation via manipulation of the Senha/Confirmação da senha (password/password confirmation) parameters on the /novosga.users/new endpoint. The vulnerability is difficult to exploit (CVSS AC:H) and offers only low confidentiality impact, but public exploit code is available and enables brute-force attacks against weak user credentials. EPSS score of 0.04% (percentile 12%) indicates limited real-world exploitation likelihood despite CVE publication.

Technical ContextAI

Mangati NovoSGA is a Brazilian queue management system. The vulnerability resides in the user creation functionality (component User Creation Page) at the /novosga.users/new endpoint. The flaw is classified as CWE-521 (Weak Password Requirements), indicating the application fails to enforce adequate password complexity or length validation. The manipulation of the Senha (password) and Confirmação da senha (password confirmation) arguments suggests the application either accepts empty strings, very short passwords, or lacks server-side validation of password strength criteria. Remote attackers can interact with the user creation interface to create accounts with weak passwords, which then become targets for dictionary or brute-force attacks. This is a web application logic flaw rather than a network protocol or cryptographic vulnerability.

Affected ProductsAI

Mangati NovoSGA versions up to and including 2.2.12 are confirmed affected. The user creation page component is the affected functionality. No specific CPE string was provided in the source data, but CVE-2025-11322 is tied to Mangati NovoSGA as referenced in vuldb.com (CVE identifier 327203) and the GitHub disclosure repository (marcelomulder/CVE). Users of NovoSGA versions prior to 2.2.12 should verify their specific version against the vendor's release notes.

RemediationAI

Upgrade Mangati NovoSGA to a patched version beyond 2.2.12 if available from the vendor. Given the lack of vendor response documented in the CVE description, verify directly with Mangati (or the current maintainer) whether a patch exists. If no patch is forthcoming, implement compensating controls: (1) enforce password policy at the LDAP/directory level (if NovoSGA integrates with Active Directory or LDAP) to override weak application-level acceptance, (2) implement a Web Application Firewall (WAF) rule to reject user creation requests with passwords shorter than 12 characters or lacking complexity markers (capitals, numbers, symbols), and (3) monitor and disable accounts with weak passwords post-hoc using NovoSGA's administrative interface or a scheduled policy audit script. Note that WAF-level controls may impact legitimate administrative workflows if weak temporary passwords are intentionally issued. The highest-confidence fix remains patching if available; otherwise, directory-level password policy enforcement is the most robust workaround because it applies uniformly across all applications using that directory.

CVE-2012-2441 HIGH POC
8.5 Apr 28

RuggedCom Rugged Operating System (ROS) before 3.3 has a factory account with a password derived from the MAC Address fi

CVE-2024-42850 CRITICAL POC
9.8 Aug 16

An issue in the password change function of Silverpeas v6.4.2 and lower allows for the bypassing of password complexity

CVE-2025-28200 CRITICAL POC
9.8 May 09

Victure RX1800 EN_V1.0.0_r12_110933 was discovered to utilize a weak default password which includes the last 8 digits o

CVE-2025-28389 CRITICAL POC
9.8 Jun 13

Critical authentication bypass vulnerability in OpenC3 COSMOS v6.0.0 caused by weak password requirements that enable br

CVE-2025-63747 CRITICAL POC
9.8 Nov 17

QaTraq 6.9.2 ships with administrative account credentials which are enabled in default installations and permit immedia

CVE-2023-37756 CRITICAL POC
9.8 Sep 14

I-doit pro 25 and below and I-doit open 25 and below employ weak password requirements for Administrator account creatio

CVE-2023-2160 CRITICAL POC
9.8 Apr 18

Weak Password Requirements in GitHub repository modoboa/modoboa prior to 2.1.0. Rated critical severity (CVSS 9.8), this

CVE-2023-2106 CRITICAL POC
9.8 Apr 15

Weak Password Requirements in GitHub repository janeczku/calibre-web prior to 0.6.20. Rated critical severity (CVSS 9.8)

CVE-2023-1753 CRITICAL POC
9.8 Mar 31

Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated critical severity (CVSS 9.8), t

CVE-2022-44236 CRITICAL POC
9.8 Dec 15

Beijing Zed-3 Technologies Co.,Ltd VoIP simpliclty ASG 8.5.0.17807 (20181130-16:12) has a Weak password vulnerability. R

CVE-2022-3754 CRITICAL POC
9.8 Oct 29

Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.8. Rated critical severity (CVSS 9.8), th

CVE-2022-3268 CRITICAL POC
9.8 Sep 22

Weak Password Requirements in GitHub repository ikus060/minarca prior to 4.2.2. Rated critical severity (CVSS 9.8), this

Share

CVE-2025-11322 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy