CVE-2023-28821

Name of the Vulnerable Software and Affected Versions Concrete CMS (previously concrete5) versions prior to 9.1

Description The issue is related to the lack of a rate limit for password resets in Concrete CMS. This could potentially allow for brute-force attacks on user passwords.

Recommendations For versions prior to 9.1, update to version 9.1 or later to resolve the issue. As a temporary workaround, consider implementing a custom rate limit for password resets until a patch is available. Restrict access to the password reset functionality to minimize the risk of exploitation.