Lucene search

GitHub Advisory DatabaseGHSA-C32W-3CQH-F6JX

HistorySep 02, 2021 - 5:08 p.m.

Weak Password Recovery Mechanism for Forgotten Password

2021-09-0217:08:33

CWE-640

GitHub Advisory Database

github.com

vulnerable

account takeover

password reset

low privileged attacker

user application

forgotten password

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

42.8%

JSON

In “Dolibarr” application, v2.8.1 to v13.0.2 are vulnerable to account takeover via password reset functionality. A low privileged attacker can reset the password of any user in the application using the password reset link the user received through email when requested for a forgotten password.

Affected configurations

Vulners

Node

dolibarrdolibarrRange<14.0.0

References

github.com/advisories/GHSA-c32w-3cqh-f6jx

github.com/Dolibarr/dolibarr/commit/87f9530272925f0d651f59337a35661faeb6f377

nvd.nist.gov/vuln/detail/CVE-2021-25957

www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25957

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

42.8%

JSON

Related for GHSA-C32W-3CQH-F6JX