CVE-2020-27422
published 2020-11-16CVE-2020-27422: In Anuko Time Tracker v1.19.23.5311, the password reset link emailed to the user doesn't expire once used, allowing an attacker to use the same link to…
PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
7.76%
93.9th percentile
In Anuko Time Tracker v1.19.23.5311, the password reset link emailed to the user doesn't expire once used, allowing an attacker to use the same link to takeover the account.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| anuko | time_tracker | <= 1.19.23.5311 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Password reset tokens in Anuko Time Tracker v1.19.23.5311 do not expire after first use; monitor for repeated use of the same password reset link/token against the application's reset endpoint ↗
- →Detect multiple successful password reset completions using the same token — a single reset token being submitted more than once indicates exploitation of CVE-2020-27422 ↗
- →Alert on repeated POST requests to the Anuko Time Tracker Password Reset module with an identical reset token parameter in a short time window ↗
- ·Exploitation requires the attacker to already possess the victim's password reset link/token (e.g., via email interception, phishing, or access to mail logs); the vulnerability itself does not provide a way to obtain the link ↗
- ·The vulnerability affects Anuko Time Tracker v1.19.23.5311 and prior versions; verify the installed version before applying detection logic ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2020-11-16
Published