Login Sign Up

CVE-2018-1000554

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

Trovebox versions up to 4.0.0-rc6 have an insecure password reset token generation vulnerability that allows attackers to reset user passwords without authorization. This affects all Trovebox instances running vulnerable versions. Attackers can exploit this via HTTP requests to gain unauthorized access.

💻 Affected Systems

Products:
  • Trovebox
Versions: <= 4.0.0-rc6
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All installations running affected versions are vulnerable regardless of configuration.

📦 What is this software?

Trovebox by Trovebox

View all CVEs affecting Trovebox →

Trovebox by Trovebox

View all CVEs affecting Trovebox →

Trovebox by Trovebox

View all CVEs affecting Trovebox →

Trovebox by Trovebox

View all CVEs affecting Trovebox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover of any user, including administrators, leading to data theft, system compromise, and potential lateral movement.

🟠

Likely Case

Unauthorized password reset for standard users, resulting in account compromise and potential data exposure.

🟢

If Mitigated

Limited impact if strong authentication controls, monitoring, and network segmentation are in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires HTTP access to the vulnerable endpoint; detailed technical analysis is publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: After commit 742b8ed

Vendor Advisory: https://telekomsecurity.github.io/2018/04/trovebox-vulnerabilities.html

Restart Required: Yes

Instructions:

1. Update Trovebox to a version after commit 742b8ed. 2. Restart the Trovebox service. 3. Verify the fix by testing password reset functionality.

🔧 Temporary Workarounds

Disable Password Reset

all

Temporarily disable the password reset functionality if patching is not immediately possible.

Modify Trovebox configuration to disable user password reset endpoints.

Network Access Control

linux

Restrict access to Trovebox password reset endpoints using firewall rules.

iptables -A INPUT -p tcp --dport [TROVEBOX_PORT] -m string --string "user/reset" --algo bm -j DROP

🧯 If You Can't Patch

  • Implement strong network segmentation to isolate Trovebox from untrusted networks.
  • Enable detailed logging and monitoring for password reset attempts and review regularly.

🔍 How to Verify

Check if Vulnerable:

Check Trovebox version; if <= 4.0.0-rc6, it is vulnerable. Test password reset token generation for predictability.

Check Version:

Check Trovebox admin panel or configuration files for version information.

Verify Fix Applied:

Verify Trovebox version is after commit 742b8ed and test that password reset tokens are securely generated.

📡 Detection & Monitoring

Log Indicators:

  • Unusual frequency of password reset requests
  • Password reset attempts from unexpected IP addresses

Network Indicators:

  • HTTP requests to /user/reset endpoints with suspicious patterns

SIEM Query:

source="trovebox" AND (url="/user/reset" OR action="password_reset") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2018-1000554
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-640
Published: June 26, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-1000554, you might also want to check these:

CVE-2023-7028 10.0

This critical vulnerability in GitLab allows attackers to hijack user accounts by intercepting passw...

Same vulnerability type (CWE-640)
CVE-2025-63314 10.0

CVE-2025-63314 is a critical authentication bypass vulnerability in DDSN Interactive Acora CMS v10.7...

Same vulnerability type (CWE-640)
CVE-2018-12421 9.8

CVE-2018-12421 is an authentication bypass vulnerability in LTB Self Service Password that allows at...

Same vulnerability type (CWE-640)