Miggo Logo

CVE-2020-18698: Lin-CMS-Flask vulnerable to Improper Authentication

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.7481%
Published
5/24/2022
Updated
9/30/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
Lin-CMSpip= 0.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. Multiple authoritative sources (CVE, GHSA, NVD) explicitly identify the 'login' function in app/api/cms/user.py as the vulnerable component
  2. The GitHub issue #27 directly references line 43 of this file as lacking login attempt restrictions
  3. CWE-307 specifically describes this exact failure mode of unrestricted authentication attempts
  4. The vulnerability manifests in the authentication entrypoint function, which is the logical location for brute force attack surfaces
  5. No other functions are mentioned in any of the vulnerability reports or descriptions

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Improp*r *ut**nti**tion in Lin-*MS-*l*sk v*.*.* *llows r*mot* *tt**k*rs to l*un** *rut* *or** lo*in *tt*mpts wit*out r*stri*tion vi* t** 'lo*in' *un*tion in t** *ompon*nt `*pp/*pi/*ms/us*r.py`.

Reasoning

*. Multipl* *ut*orit*tiv* sour**s (*V*, **S*, NV*) *xpli*itly i**nti*y t** 'lo*in' *un*tion in *pp/*pi/*ms/us*r.py *s t** vuln*r**l* *ompon*nt *. T** *it*u* issu* #** *ir**tly r***r*n**s lin* ** o* t*is *il* *s l**kin* lo*in *tt*mpt r*stri*tions *. *