CVE-2016-9479
HIGHb2evolution < 6.7.8 - Unauthenticated Password Reset via Lost Password Functionality
Title source: llmDescription
The "lost password" functionality in b2evolution before 6.7.9 allows remote attackers to reset arbitrary user passwords via a crafted request.
References (4)
Core 4
Core References
Patch, Release Notes, Vendor Advisory x_refsource_confirm
http://b2evolution.net/downloads/6-7-9-stable
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1037393
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/b2evolution/b2evolution/issues/33
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/95006
Scores
CVSS v3
7.5
EPSS
0.0184
EPSS Percentile
76.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-255
Status
published
Products (1)
b2evolution/b2evolution
< 6.7.8
Published
Dec 02, 2016
Tracked Since
Feb 18, 2026