An issue in the verifyPassword function of hexo-theme-matery v2.0.0 allows attackers to bypass authentication and access password protected pages.
The vulnerability classified as CWE-294 (Authentication Bypass by Capture-replay) indicates that the password verification mechanism in the verifyPassword function is susceptible to bypassing the authentication process. An attacker can gain access to pages that should be protected without knowing the correct password. The vulnerability is accessible remotely, without authentication and without user interaction on the victim's side.
An attacker gains unauthorized access to password-protected content on websites using the vulnerable theme, which may lead to disclosure of sensitive information, and depending on the site configuration, may also result in violation of data integrity and availability.
Patches available from the vendor should be applied according to the references. It is recommended to monitor the official project repository on GitHub (blinkfox/hexo-theme-matery) for current information about the fix. Until the patch is implemented, it is advisable to remove password protection from sensitive pages or restrict access to them at the web server or firewall level.
hexo-theme-matery version 2.0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H