8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-2921

GHSA ID

GHSA-44w5-q257-8428

EPSS Score

0.34648%

CWE

CWE-359

Published

8/22/2022

Updated

1/28/2023

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-2921

CVE-2022-2921: Exposure of password hashes in notrinos/notrinos-erp

The AP officers account is authorized to Backup and Restore the Database, Due to this he/she can download the backup and see the password hash of the System Administrator account, The weak hash (MD5) of the password can be easily cracked and get the admin password.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-2921

CVE-2022-2921:

8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-2921

GHSA ID

GHSA-44w5-q257-8428

EPSS Score

0.34648%

CWE

CWE-359

Published

8/22/2022

Updated

1/28/2023

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
notrinos/notrinos-erp	composer	< 0.7	0.7

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from two key issues: 1) Use of MD5 for password hashing, and 2) Exposure of these hashes through database backups. The get_user_auth function was vulnerable because it implemented authentication using MD5 hash comparisons, making credential cracking feasible. The update_admin_password function (called in create_coy.php) was vulnerable because it generated and stored MD5 hashes during admin account creation. These functions were explicitly modified in the patch (replaced with bcrypt/password_hash), confirming their role in the vulnerability. The commit diff shows direct MD5 usage in these functions' pre-patch versions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-2921: Exposure of password hashes in notrinos/notrinos-erp

CVE-2022-2921:

8.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

8.8

8.8

CVE-2022-2921: Exposure of password hashes in notrinos/notrinos-erp

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI