CVE-2023-50172 — Weak Password Recovery Mechanism for Forgotten Password in Avideo

CWE-640 — Weak Password Recovery Mechanism for Forgotten Password5 documents4 sources

Severity

5.3MEDIUMNVD

EPSS

0.2%

top 63.99%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wwbn Avideo

Timeline

PublishedJan 10

Latest updateJan 17

Description

A recovery notification bypass vulnerability exists in the userRecoverPass.php captcha validation functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to the silent creation of a recovery pass code for any user.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶Packagistwwbn/avideo12.4

▶CVEListV5wwbn/avideodev master commit 15fed957fb

▶NVDwwbn/avideo15fed957fb

🔴Vulnerability Details

GHSA

WWBN AVideo recovery notification bypass vulnerability↗2024-01-10

▶

OSV

WWBN AVideo recovery notification bypass vulnerability↗2024-01-10

▶

🕵️Threat Intelligence

Talos

Critical vulnerability in ManageEngine could lead to file creation, dozens of other vulnerabilities disclosed by Talos to start 2024↗2024-01-17

▶

Talos

Critical vulnerability in ManageEngine could lead to file creation, dozens of other vulnerabilities disclosed by Talos to start 2024↗2024-01-17

▶