CVE-2019-10641 — Weak Password Recovery Mechanism for Forgotten Password in CMS

Severity

9.8CRITICALNVD

EPSS

0.3%

top 49.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Timeline

PublishedApr 17

Latest updateMay 14

Description

Contao before 3.5.39 and 4.x before 4.7.3 has a Weak Password Recovery Mechanism for a Forgotten Password.

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

▶Packagistcontao/core3.0.0 — 3.5.39

▶Packagistcontao/contao4.0.0 — 4.4.37+1

▶NVDcontao/contao_cms4.0.0 — 4.7.3+1

▶Packagistcontao/core-bundle4.0.0 — 4.4.37+1

OSV

Contao Does Not Invalidate Existing Sessions When Password Changes↗2022-05-14

▶

GHSA

Contao Does Not Invalidate Existing Sessions When Password Changes↗2022-05-14

▶

CVEList

CVE-2019-10641: Contao before 3↗2019-04-17

▶