CVE-2023-3222

Name of the Vulnerable Software and Affected Versions Password Recovery plugin for Roundcube version 1.2

Description The issue concerns the password recovery mechanism, which could allow a remote attacker to change an existing user's password by adding a 6-digit numeric token. Since the platform has no limit on the number of requests, an attacker could create an automatic script to test all possible values.

Recommendations For Password Recovery plugin for Roundcube version 1.2, consider disabling the password recovery feature until a patch is available to prevent exploitation. Restrict access to the password recovery mechanism to minimize the risk of unauthorized password changes. Avoid using the password recovery feature with the 6-digit numeric token until the issue is resolved.