CVE-2020-37158

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions AVideo Platform version 8.1

Description The software contains a cross-site request forgery issue that allows attackers to reset user passwords. This is possible by exploiting the password recovery mechanism. Attackers can create malicious requests to the /recoverPass API endpoint using a user's recovery token to change account credentials without needing to authenticate. The vulnerable parameter is the user's recovery token.

Recommendations Apply updates to address the issue in AVideo Platform version 8.1. As a temporary workaround, consider restricting access to the /recoverPass API endpoint to minimize the risk of exploitation.

Exploit

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352CWE-640

Related Identifiers

CVE-2020-37158

Affected Products

Avideo Platform

Avideo

CVE-2020-37158

Weakness Enumeration

Related Identifiers

Affected Products

References · 8