CVE-2022-30935

Name of the Vulnerable Software and Affected Versions b2evolution versions prior to 7.2.3

Description An authorization bypass in b2evolution allows remote, unauthenticated attackers to predict password reset tokens for any user through the use of a bad randomness function. This allows the attacker to get valid sessions for arbitrary users, and optionally reset their password.

Recommendations For versions prior to 7.2.3, update to a version that includes a fix for the bad randomness function used in password reset tokens. As a temporary workaround, consider restricting access to the password reset functionality until a patch is available.