CVE-2022-2921: 
PHP vulnerability analysis and mitigation

Exposure of Private Personal Information to an Unauthorized Actor was discovered in GitHub repository notrinos/notrinoserp prior to version 0.7. The vulnerability was assigned CVE-2022-2921 and was disclosed on August 21, 2022. The issue affects the NotrinosERP software and allows privilege escalation from a regular user account to a system administrator account (NVD).

The vulnerability has a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor). The issue allows an attacker with low privileges to escalate their access to system administrator level (NVD).

When exploited, the vulnerability allows attackers to gain unauthorized access to protected functionality including: creating/updating companies, installing/updating languages, installing/activating extensions, installing/activating themes, and performing other administrative actions (NVD).

The vulnerability was fixed in NotrinosERP version 0.7 by changing the password hash method from md5 to bcrypt (GitHub). Users should upgrade to version 0.7 or later to mitigate this vulnerability.