PT-2025-22821 · Strangebee · Thehive
Published
2025-05-23
·
Updated
2025-05-24
·
CVE-2025-48738
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:L |
Name of the Vulnerable Software and Affected Versions
StrangeBee TheHive versions 5.2.0 through 5.2.15
StrangeBee TheHive versions 5.3.0 through 5.3.10
StrangeBee TheHive versions 5.4.0 through 5.4.9
StrangeBee TheHive versions 5.5.0
Description
An e-mail flooding issue allows unauthenticated remote attackers to use the password reset feature without limits. This can lead to consequences including mailbox storage exhaustion for targeted users, reputation damage to the SMTP server, potentially causing it to be blacklisted, and overload of the SMTP server's outbound mail queue.
Recommendations
For versions 5.2.0 through 5.2.15, update to version 5.2.16 or later.
For versions 5.3.0 through 5.3.10, update to version 5.3.11 or later.
For versions 5.4.0 through 5.4.9, update to version 5.4.10 or later.
For version 5.5.0, update to version 5.5.1 or later.
Fix
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Thehive