exploitDog

CVE-2023-3222

Опубликовано: 04 сент. 2023

Источник: nvd

CVSS3: 7.5

CVSS3: 7.5

EPSS Низкий

Описание

Vulnerability in the password recovery mechanism of Password Recovery plugin for Roundcube, in its 1.2 version, which could allow a remote attacker to change an existing user´s password by adding a 6-digit numeric token. An attacker could create an automatic script to test all possible values because the platform has no limit on the number of requests.

Ссылки

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-roundcube-password-recovery-plugin
Third Party Advisory
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-roundcube-password-recovery-plugin
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:password_recovery_project:password_recovery:1.2:*:*:*:*:roundcube:*:*

EPSS

Процентиль: 20%

0.00064

Низкий

7.5 High

CVSS3

7.5 High

CVSS3

Дефекты

CWE-640

CWE-640

Связанные уязвимости

GHSA-8j9j-8qff-cvrc

CVSS3: 7.5

github

больше 2 лет назад

Vulnerability in the password recovery mechanism of Password Recovery plugin for Roundcube, in its 1.2 version, which could allow a remote attacker to change an existing user´s password by adding a 6-digit numeric token. An attacker could create an automatic script to test all possible values because the platform has no limit on the number of requests.

EPSS

Процентиль: 20%

0.00064

Низкий

7.5 High

CVSS3

7.5 High

CVSS3

Дефекты

CWE-640

CWE-640