CVE-2020-28874

2021-01-2618:15:51

Google

osv.dev

7.1 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

73.9%

JSON

reset-password.php in ProjectSend before r1295 allows remote attackers to reset a password because of incorrect business logic. Errors are not properly considered (an invalid token parameter).

CPENameOperatorVersion
projectsendeqr753
projectsendeqr756
projectsendeqr1053
projectsendeqr1070
projectsendeqr559
projectsendeqr754

Name	Operator	Version
projectsend	eq	r753
projectsend	eq	r756
projectsend	eq	r1053
projectsend	eq	r1070
projectsend	eq	r559
projectsend	eq	r754

References

projectsend.com

github.com/projectsend/projectsend/commit/440204734e9a1687cb9887e1c887173d23c5a93e

github.com/projectsend/projectsend/commits/master

github.com/projectsend/projectsend/releases/tag/r1295

github.com/varandinawer/CVE-2020-28874