Home

Description

A type confusion vulnerability in lib/NSSAuthenticator.php in ZendTo before v5.04-7 allows remote attackers to bypass authentication for users with passwords stored as MD5 hashes that can be interpreted as numbers. A solution requires moving from MD5 to bcrypt.

PUBLISHED Reserved 2025-04-05 | Published 2025-04-05 | Updated 2025-04-07 | Assigner mitre




MEDIUM: 4.8CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Problem types

CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')

Product status

Default status
unknown

Any version before 5.04-7
affected

References

projectblack.io/blog/zendto-nday-vulnerabilities/ exploit

projectblack.io/blog/zendto-nday-vulnerabilities/

cve.org (CVE-2025-32352)

nvd.nist.gov (CVE-2025-32352)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.