reset-password.php in ProjectSend before r1295 allows remote attackers to reset a password because of incorrect business logic. Errors are not properly considered (an invalid token parameter).
References
Link | Resource |
---|---|
http://projectsend.com | Vendor Advisory |
https://github.com/projectsend/projectsend/commit/440204734e9a1687cb9887e1c887173d23c5a93e | Patch Third Party Advisory |
https://github.com/projectsend/projectsend/commits/master | Patch Third Party Advisory |
https://github.com/projectsend/projectsend/releases/tag/r1295 | Release Notes Third Party Advisory |
https://github.com/varandinawer/CVE-2020-28874 | Exploit Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2021-01-21T15:01:48
Updated: 2021-01-21T15:01:48
Reserved: 2020-11-16T00:00:00
Link: CVE-2020-28874
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-01-26T18:15:51.020
Modified: 2021-07-21T11:39:23.747
Link: CVE-2020-28874
JSON object: View
Redhat Information
No data.