PT-2022-9688 · Unknown · Userfrosting

Silic0Ns0Ldier

Published

2022-01-03

Updated

2022-01-13

CVE-2021-25994

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Userfrosting versions v0.3.1 through v4.6.2

Description The issue allows an unauthenticated attacker to take over a victim's account by exploiting the "forgot password" functionality. This is achieved by luring a victim application user to click on a link, enabling the attacker to reset the victim's password.

Recommendations For versions v0.3.1 through v4.6.2, consider disabling the "forgot password" functionality until a patch is available to prevent exploitation. Restrict access to the affected functionality to minimize the risk of account takeover.

Exploit

Fix

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74

Related Identifiers

CVE-2021-25994

GHSA-CV25-3GMG-C6M8

Affected Products

Userfrosting

PT-2022-9688 · Unknown · Userfrosting

CVE-2021-25994

Weakness Enumeration

Related Identifiers

Affected Products

References · 7