PT-2009-2440 · Simple Machines · Simple Machines Forum
Raz0R
·
Published
2009-08-13
·
Updated
2017-09-29
·
CVE-2008-6971
CVSS v2.0
7.5
High
| Vector | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions:
Simple Machines Forum versions 1.0.x through 1.0.13
Simple Machines Forum versions 1.1.x through 1.1.5
Simple Machines Forum versions 2.0 before beta 4
Description:
The password reset functionality in Simple Machines Forum includes clues about the random number generator state within a hidden form field and generates predictable validation codes. This allows remote attackers to modify passwords of other users and gain privileges.
Recommendations:
For Simple Machines Forum versions 1.0.x through 1.0.13, update to version 1.0.14 or later.
For Simple Machines Forum versions 1.1.x through 1.1.5, update to version 1.1.6 or later.
For Simple Machines Forum versions 2.0 before beta 4, update to beta 4 or later.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Simple Machines Forum