CVE-2016-9479

HIGH

b2evolution < 6.7.8 - Unauthenticated Password Reset via Lost Password Functionality

Title source: llm
STIX 2.1

Description

The "lost password" functionality in b2evolution before 6.7.9 allows remote attackers to reset arbitrary user passwords via a crafted request.

References (4)

Core 4
Core References
Patch, Release Notes, Vendor Advisory x_refsource_confirm
http://b2evolution.net/downloads/6-7-9-stable
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1037393
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/b2evolution/b2evolution/issues/33
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/95006

Scores

CVSS v3 7.5
EPSS 0.0184
EPSS Percentile 76.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-255
Status published
Products (1)
b2evolution/b2evolution < 6.7.8
Published Dec 02, 2016
Tracked Since Feb 18, 2026