CVE-2023-49589Weak Password Recovery Mechanism for Forgotten Password in Avideo

CWE-640Weak Password Recovery Mechanism for Forgotten Password4 documents3 sources
Severity
8.8HIGHNVD
EPSS
0.2%
top 52.03%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Wwbn Avideo
Timeline
PublishedJan 10
Latest updateJan 17

Description

An insufficient entropy vulnerability exists in the userRecoverPass.php recoverPass generation functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to an arbitrary user password recovery. An attacker can send an HTTP request to trigger this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

CVEListV5wwbn/avideodev master commit 15fed957fb
NVDwwbn/avideo15fed957fb

🔴Vulnerability Details

1
GHSA
GHSA-6m9q-9m44-9hvq: An insufficient entropy vulnerability exists in the userRecoverPass2024-01-10

🕵️Threat Intelligence

2
Talos
Critical vulnerability in ManageEngine could lead to file creation, dozens of other vulnerabilities disclosed by Talos to start 20242024-01-17
Talos
Critical vulnerability in ManageEngine could lead to file creation, dozens of other vulnerabilities disclosed by Talos to start 20242024-01-17