Unknown · Projectsend · CVE-2020-28874
Name of the Vulnerable Software and Affected Versions:
ProjectSend versions prior to r1295
Description:
The issue arises from incorrect business logic in the reset-password.php file, allowing remote attackers to reset a password. Specifically, errors are not properly considered, such as an invalid `token` parameter.
Recommendations:
For versions prior to r1295, update to version r1295 or later to resolve the issue. As a temporary workaround, consider restricting access to the reset-password.php file until the update is applied.