{"api_version":"1","generated_at":"2026-04-23T09:39:06+00:00","cve":"CVE-2001-1537","urls":{"html":"https://cve.report/CVE-2001-1537","api":"https://cve.report/api/cve/CVE-2001-1537.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2001-1537","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2001-1537"},"summary":{"title":"CVE-2001-1537","description":"The default \"basic\" security setting' in config.php for TWIG webmail 2.7.4 and earlier stores cleartext usernames and passwords in cookies, which could allow attackers to obtain authentication information and gain privileges.","state":"PUBLISHED","assigner":"mitre","published_at":"2001-12-31 05:00:00","updated_at":"2025-04-03 01:03:51"},"problem_types":["CWE-312","n/a"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"2.0","source":"nvd@nist.gov","type":"Primary","score":"5","severity":"","vector":"AV:N/AC:L/Au:N/C:P/I:N/A:N","data":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:N/A:N","baseScore":5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE"}}],"references":[{"url":"http://www.securityfocus.com/bid/3591","name":"http://www.securityfocus.com/bid/3591","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Broken Link","Third Party Advisory","VDB Entry"],"title":"TWIG Plaintext Password in Cookies Under Default Installation Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"http://archives.neohapsis.com/archives/bugtraq/2001-11/0245.html","name":"http://archives.neohapsis.com/archives/bugtraq/2001-11/0245.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Broken Link"],"title":"","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"http://www.iss.net/security_center/static/7619.php","name":"http://www.iss.net/security_center/static/7619.php","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Broken Link"],"title":"ISS X-Force Database:","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2001-1537","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2001-1537","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"n/a","product":"n/a","version":"affected n/a","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2001","cve_id":"1537","vulnerable":"1","versionEndIncluding":"2.7.4","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"symfony","cpe5":"twig","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-08T04:58:11.429Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"name":"20011128 TWIG default configurations may lead to insecure auth-cookie password storage","tags":["mailing-list","x_refsource_BUGTRAQ","x_transferred"],"url":"http://archives.neohapsis.com/archives/bugtraq/2001-11/0245.html"},{"name":"3591","tags":["vdb-entry","x_refsource_BID","x_transferred"],"url":"http://www.securityfocus.com/bid/3591"},{"name":"twig-password-plaintext-cookie(7619)","tags":["vdb-entry","x_refsource_XF","x_transferred"],"url":"http://www.iss.net/security_center/static/7619.php"}],"title":"CVE Program Container"}],"cna":{"affected":[{"product":"n/a","vendor":"n/a","versions":[{"status":"affected","version":"n/a"}]}],"datePublic":"2001-11-28T00:00:00.000Z","descriptions":[{"lang":"en","value":"The default \"basic\" security setting' in config.php for TWIG webmail 2.7.4 and earlier stores cleartext usernames and passwords in cookies, which could allow attackers to obtain authentication information and gain privileges."}],"problemTypes":[{"descriptions":[{"description":"n/a","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2008-03-11T09:00:00.000Z","orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre"},"references":[{"name":"20011128 TWIG default configurations may lead to insecure auth-cookie password storage","tags":["mailing-list","x_refsource_BUGTRAQ"],"url":"http://archives.neohapsis.com/archives/bugtraq/2001-11/0245.html"},{"name":"3591","tags":["vdb-entry","x_refsource_BID"],"url":"http://www.securityfocus.com/bid/3591"},{"name":"twig-password-plaintext-cookie(7619)","tags":["vdb-entry","x_refsource_XF"],"url":"http://www.iss.net/security_center/static/7619.php"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2001-1537","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The default \"basic\" security setting' in config.php for TWIG webmail 2.7.4 and earlier stores cleartext usernames and passwords in cookies, which could allow attackers to obtain authentication information and gain privileges."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"20011128 TWIG default configurations may lead to insecure auth-cookie password storage","refsource":"BUGTRAQ","url":"http://archives.neohapsis.com/archives/bugtraq/2001-11/0245.html"},{"name":"3591","refsource":"BID","url":"http://www.securityfocus.com/bid/3591"},{"name":"twig-password-plaintext-cookie(7619)","refsource":"XF","url":"http://www.iss.net/security_center/static/7619.php"}]}}}},"cveMetadata":{"assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","assignerShortName":"mitre","cveId":"CVE-2001-1537","datePublished":"2005-07-14T04:00:00.000Z","dateReserved":"2005-07-14T00:00:00.000Z","dateUpdated":"2024-08-08T04:58:11.429Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"},"nvd":{"publishedDate":"2001-12-31 05:00:00","lastModifiedDate":"2025-04-03 01:03:51","problem_types":["CWE-312","n/a"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:N/A:N","baseScore":5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE"},"baseSeverity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:symfony:twig:*:*:*:*:*:*:*:*","versionEndIncluding":"2.7.4","matchCriteriaId":"70F56BAA-E4DF-49D6-950D-073A728B97C6"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2001","CveId":"1537","Ordinal":"1","Title":"CVE-2001-1537","CVE":"CVE-2001-1537","Year":"2001"},"notes":[{"CveYear":"2001","CveId":"1537","Ordinal":"1","NoteData":"The default \"basic\" security setting' in config.php for TWIG webmail 2.7.4 and earlier stores cleartext usernames and passwords in cookies, which could allow attackers to obtain authentication information and gain privileges.","Type":"Description","Title":"CVE-2001-1537"},{"CveYear":"2001","CveId":"1537","Ordinal":"2","NoteData":"2005-07-14","Type":"Other","Title":"Published"},{"CveYear":"2001","CveId":"1537","Ordinal":"3","NoteData":"2008-03-11","Type":"Other","Title":"Modified"}]}}}