CVE-2017-8385Weak Password Recovery Mechanism for Forgotten Password in Craft CMS

CWE-640Weak Password Recovery Mechanism for Forgotten Password4 documents4 sources
Severity
5.3MEDIUMNVD
EPSS
0.3%
top 48.13%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Craftcms CMSCraftcms Craft CMS
Timeline
PublishedMay 1
Latest updateMay 17

Description

Craft CMS before 2.6.2976 does not prevent modification of the URL in a forgot-password email message.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

Packagistcraftcms/cms< 2.6.2976
NVDcraftcms/craft_cms2.6.2974

🔴Vulnerability Details

3
OSV
Craft CMS subject to URL forgery2022-05-17
GHSA
Craft CMS subject to URL forgery2022-05-17
CVEList
CVE-2017-8385: Craft CMS before 22017-05-01
CVE-2017-8385 — Craftcms Craft CMS vulnerability | cvebase