Unknown · B2Evolution · CVE-2022-30935
**Name of the Vulnerable Software and Affected Versions**
b2evolution versions prior to 7.2.3
**Description**
An authorization bypass in b2evolution allows remote, unauthenticated attackers to predict password reset tokens for any user through the use of a bad randomness function. This allows the attacker to get valid sessions for arbitrary users, and optionally reset their password.
**Recommendations**
For versions prior to 7.2.3, update to a version that includes a fix for the bad randomness function used in password reset tokens.
As a temporary workaround, consider restricting access to the password reset functionality until a patch is available.