CVE-2025-48738

An e-mail flooding vulnerability in StrangeBee TheHive 5.2.0 before 5.2.16, 5.3.0 before 5.3.11, 5.4.0 before 5.4.10, and 5.5.0 before 5.5.1 allows unauthenticated remote attackers to use the password reset feature without limits. This can lead to several consequences, including mailbox storage exhaustion for targeted users, reputation damage to the SMTP server, potentially causing it to be blacklisted, and overload of the SMTP server's outbound mail queue.

CVSS

No CVSS.

References

Link	Resource
https://github.com/StrangeBeeCorp/Security/blob/main/Security%20advisories/SB-SEC-ADV-2025-003.md

Configurations

No configuration.

History

28 May 2025, 14:58

Type	Values Removed	Values Added
Summary		(es) Una vulnerabilidad de inundación de correo electrónico en StrangeBee TheHive 5.2.0 (anterior a la 5.2.16), 5.3.0 (anterior a la 5.3.11), 5.4.0 (anterior a la 5.4.10) y 5.5.0 (anterior a la 5.5.1) permite a atacantes remotos no autenticados usar la función de restablecimiento de contraseña sin restricciones. Esto puede tener varias consecuencias, como el agotamiento del almacenamiento del buzón de los usuarios objetivo, la pérdida de reputación del servidor SMTP (que podría provocar su inclusión en la lista negra) y la sobrecarga de la cola de correo saliente del servidor SMTP.

23 May 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-23 20:15

Updated : 2025-05-28 14:58

NVD link : CVE-2025-48738

Mitre link : CVE-2025-48738

CVE.ORG link : CVE-2025-48738

JSON object : View

Products Affected

No product.

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

{"id": "CVE-2025-48738", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "cve@mitre.org", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-05-23T20:15:25.210", "references": [{"url": "https://github.com/StrangeBeeCorp/Security/blob/main/Security%20advisories/SB-SEC-ADV-2025-003.md", "source": "cve@mitre.org"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "cve@mitre.org", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "An e-mail flooding vulnerability in StrangeBee TheHive 5.2.0 before 5.2.16, 5.3.0 before 5.3.11, 5.4.0 before 5.4.10, and 5.5.0 before 5.5.1 allows unauthenticated remote attackers to use the password reset feature without limits. This can lead to several consequences, including mailbox storage exhaustion for targeted users, reputation damage to the SMTP server, potentially causing it to be blacklisted, and overload of the SMTP server's outbound mail queue."}, {"lang": "es", "value": "Una vulnerabilidad de inundaci\u00f3n de correo electr\u00f3nico en StrangeBee TheHive 5.2.0 (anterior a la 5.2.16), 5.3.0 (anterior a la 5.3.11), 5.4.0 (anterior a la 5.4.10) y 5.5.0 (anterior a la 5.5.1) permite a atacantes remotos no autenticados usar la funci\u00f3n de restablecimiento de contrase\u00f1a sin restricciones. Esto puede tener varias consecuencias, como el agotamiento del almacenamiento del buz\u00f3n de los usuarios objetivo, la p\u00e9rdida de reputaci\u00f3n del servidor SMTP (que podr\u00eda provocar su inclusi\u00f3n en la lista negra) y la sobrecarga de la cola de correo saliente del servidor SMTP."}], "lastModified": "2025-05-28T14:58:52.920", "sourceIdentifier": "cve@mitre.org"}