Login Sign Up

CVE-2022-27157

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

CVE-2022-27157 is a weak password recovery mechanism vulnerability in pearweb that allows attackers to reset passwords without proper authentication. This affects all pearweb installations before version 1.32. Attackers can potentially compromise user accounts and gain unauthorized access.

💻 Affected Systems

Products:
  • pearweb
Versions: All versions < 1.32
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All pearweb installations with the vulnerable password recovery mechanism are affected.

📦 What is this software?

Pearweb by Php

View all CVEs affecting Pearweb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover of all users, leading to data theft, privilege escalation, and full system compromise.

🟠

Likely Case

Targeted account takeover of specific users, potentially leading to unauthorized access to sensitive data and functionality.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, but still represents an authentication bypass risk.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is in the password recovery mechanism and requires minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.32

Vendor Advisory: https://github.com/pear/pearweb/commit/6447c174a6b4bd76d28ecca8543cbd24bf394f99

Restart Required: No

Instructions:

1. Update pearweb to version 1.32 or later. 2. Replace the vulnerable include/users/passwordmanage.php file with the patched version from the GitHub commit.

🔧 Temporary Workarounds

Disable password recovery functionality

linux

Temporarily disable the password recovery feature to prevent exploitation.

# Remove or rename the vulnerable file
mv include/users/passwordmanage.php include/users/passwordmanage.php.disabled

🧯 If You Can't Patch

  • Implement network-level controls to restrict access to the password recovery endpoint.
  • Enable detailed logging and monitoring for password reset attempts and implement alerting for suspicious activity.

🔍 How to Verify

Check if Vulnerable:

Check if pearweb version is below 1.32 and if include/users/passwordmanage.php exists with the vulnerable code.

Check Version:

Check pearweb configuration files or documentation for version information.

Verify Fix Applied:

Verify pearweb version is 1.32 or higher and that the password recovery mechanism requires proper authentication.

📡 Detection & Monitoring

Log Indicators:

  • Unusual password reset requests, multiple failed password recovery attempts from single IP, successful password resets without proper authentication

Network Indicators:

  • HTTP requests to password recovery endpoints with suspicious parameters

SIEM Query:

source="pearweb" AND (url="*passwordmanage.php*" OR event="password_reset")

📊 Metadata

CVE ID: CVE-2022-27157
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-640
Published: April 15, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-27157, you might also want to check these:

CVE-2023-7028 10.0

This critical vulnerability in GitLab allows attackers to hijack user accounts by intercepting passw...

Same vulnerability type (CWE-640)
CVE-2025-63314 10.0

CVE-2025-63314 is a critical authentication bypass vulnerability in DDSN Interactive Acora CMS v10.7...

Same vulnerability type (CWE-640)
CVE-2021-22731 9.8

This vulnerability allows remote attackers to change passwords on Modicon Managed Switches without a...

Same vulnerability type (CWE-640)