PT-2016-4411 · Apache · Apache Openmeetings

Andreas Lindh

Published

2016-04-11

Updated

2018-10-09

CVE-2016-0783

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Apache OpenMeetings versions prior to 3.1.1

Description The issue allows remote attackers to reset arbitrary user passwords by leveraging knowledge of a user name and the current system time, due to the generation of predictable password reset tokens by the sendHashByUser function.

Recommendations For versions prior to 3.1.1, update to version 3.1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the password reset functionality until the update is applied.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2016-0783

Affected Products

Apache Openmeetings

PT-2016-4411 · Apache · Apache Openmeetings

CVE-2016-0783

Weakness Enumeration

Related Identifiers

Affected Products

References · 7