Cerebrate
Monthly
Cerebrate's inbox self-registration workflow exposed bcrypt password hashes of pending registrants to any authenticated user holding inbox or audit log access privileges. The hashed credential appeared unredacted across HTML, JSON, and CSV inbox responses and was also written unredacted into audit log entries, as confirmed by commit 02da6d7 and its accompanying test assertions checking for suppression of the $2y$10$ bcrypt prefix. Exploitation requires PR:H per the CVSS 4.0 vector, no active exploitation is confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis.
Unauthorized record modification in Cerebrate before 1.37 allows any authenticated user to overwrite arbitrary records of the same entity type by injecting a foreign primary key into CRUD edit requests. The flaw stems from permissive mass-assignment defaults across several entity types - User, Role, UserSetting, LocalTool, PermissionLimitation, and EnumerationCollection - where the ORM's patchEntity() accepted attacker-controlled id values from request bodies, redirecting the SQL UPDATE to an unrelated row. Because the UserSettings edit endpoint was reachable by all authenticated users, the most accessible exploitation path required only valid session credentials. No public exploit code or CISA KEV listing has been identified at time of analysis, though the integrity impact on Role and User entities carries privilege-escalation potential that elevates real-world severity above the base CVSS score alone.
Mass-assignment in Cerebrate before v1.37 lets remote attackers reaching a generic CRUD add endpoint supply a client-controlled id when creating objects, because the add() handler stripped id from the raw $params but not from the normalized $input passed to entity patching. No public exploit identified at time of analysis, but the upstream commit aff1ca7 makes the root cause and exploit path trivially recoverable. CVSS 4.0 of 8.7 (VI:H) reflects integrity-only impact on the vulnerable system.
Cerebrate before 1.15 lacks the Secure attribute for the session cookie. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.
In Cerebrate 1.14, a vulnerability in UserSettingsController allows authenticated users to change user settings of other users. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.
In Cerebrate 1.13, a blind SQL injection exists in the searchAll API endpoint. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Cerebrate 1.12 does not properly consider organisation_id during creation of API keys. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.
An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Cerebrate's inbox self-registration workflow exposed bcrypt password hashes of pending registrants to any authenticated user holding inbox or audit log access privileges. The hashed credential appeared unredacted across HTML, JSON, and CSV inbox responses and was also written unredacted into audit log entries, as confirmed by commit 02da6d7 and its accompanying test assertions checking for suppression of the $2y$10$ bcrypt prefix. Exploitation requires PR:H per the CVSS 4.0 vector, no active exploitation is confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis.
Unauthorized record modification in Cerebrate before 1.37 allows any authenticated user to overwrite arbitrary records of the same entity type by injecting a foreign primary key into CRUD edit requests. The flaw stems from permissive mass-assignment defaults across several entity types - User, Role, UserSetting, LocalTool, PermissionLimitation, and EnumerationCollection - where the ORM's patchEntity() accepted attacker-controlled id values from request bodies, redirecting the SQL UPDATE to an unrelated row. Because the UserSettings edit endpoint was reachable by all authenticated users, the most accessible exploitation path required only valid session credentials. No public exploit code or CISA KEV listing has been identified at time of analysis, though the integrity impact on Role and User entities carries privilege-escalation potential that elevates real-world severity above the base CVSS score alone.
Mass-assignment in Cerebrate before v1.37 lets remote attackers reaching a generic CRUD add endpoint supply a client-controlled id when creating objects, because the add() handler stripped id from the raw $params but not from the normalized $input passed to entity patching. No public exploit identified at time of analysis, but the upstream commit aff1ca7 makes the root cause and exploit path trivially recoverable. CVSS 4.0 of 8.7 (VI:H) reflects integrity-only impact on the vulnerable system.
Cerebrate before 1.15 lacks the Secure attribute for the session cookie. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.
In Cerebrate 1.14, a vulnerability in UserSettingsController allows authenticated users to change user settings of other users. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.
In Cerebrate 1.13, a blind SQL injection exists in the searchAll API endpoint. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Cerebrate 1.12 does not properly consider organisation_id during creation of API keys. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.
An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.