CVE-2019-15929Weak Password Recovery Mechanism for Forgotten Password in Craft CMS

CWE-640Weak Password Recovery Mechanism for Forgotten Password4 documents4 sources
Severity
9.8CRITICALNVD
EPSS
0.4%
top 41.93%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Craftcms CMSCraftcms Craft CMS
Timeline
PublishedOct 24
Latest updateMay 24

Description

In Craft CMS through 3.1.7, the elevated session password prompt was not being rate limited like normal login forms, leading to the possibility of a brute force attempt on them.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

Packagistcraftcms/cms< 3.1.7

🔴Vulnerability Details

3
OSV
Craft CMS possibility of brute force attempts2022-05-24
GHSA
Craft CMS possibility of brute force attempts2022-05-24
CVEList
CVE-2019-15929: In Craft CMS through 32019-10-24
CVE-2019-15929 — Craftcms Craft CMS vulnerability | cvebase