CVE-2022-34530 — Weak Password Recovery Mechanism for Forgotten Password in Backdrop CMS

CWE-640 — Weak Password Recovery Mechanism for Forgotten Password3 documents3 sources

Severity

5.3MEDIUMNVD

EPSS

0.2%

top 57.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Backdropcms Backdrop CMS

Timeline

PublishedAug 1

Latest updateAug 2

Description

An issue in the login and reset password functionality of Backdrop CMS v1.22.0 allows attackers to enumerate usernames via password reset requests and distinct responses returned based on usernames.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages1 packages

▶NVDbackdropcms/backdrop_cms1.22.0

🔴Vulnerability Details

GHSA

GHSA-r4cx-cqjr-vfr8: An issue in the login and reset password functionality of Backdrop CMS v1↗2022-08-02

▶

CVEList

CVE-2022-34530: An issue in the login and reset password functionality of Backdrop CMS v1↗2022-08-01

▶