PT-2021-16881 · Dolibarr · Dolibarr

Hagai Wechsler

Published

2021-08-17

Updated

2021-09-02

CVE-2021-25957

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Dolibarr versions 2.8.1 through 13.0.2

Description The issue allows a low privileged attacker to take over accounts via the password reset functionality. This is achieved by exploiting the password reset link sent to users via email when they request a forgotten password.

Recommendations For versions 2.8.1 through 13.0.2, consider disabling the password reset functionality until a patch is available to prevent account takeover. Restrict access to the password reset link to minimize the risk of exploitation. Avoid using the password reset feature in the affected application until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-640

Related Identifiers

CVE-2021-25957

GHSA-C32W-3CQH-F6JX

Affected Products

Dolibarr

PT-2021-16881 · Dolibarr · Dolibarr

CVE-2021-25957

Weakness Enumeration

Related Identifiers

Affected Products

References · 12