CVE-2022-45782

Name of the Vulnerable Software and Affected Versions dotCMS core versions 5.3.8.5 through 5.3.8.15 dotCMS core versions 21.03 through 22.10.1

Description An issue was discovered in dotCMS core where a cryptographically insecure random generation algorithm is used for password-reset token generation, leading to account takeover.

Recommendations For versions 5.3.8.5 through 5.3.8.15, update to a version outside of this range to resolve the issue. For versions 21.03 through 22.10.1, update to a version outside of this range to resolve the issue. As a temporary workaround, consider disabling the password-reset feature until a patch is available. Restrict access to the password-reset functionality to minimize the risk of exploitation.