Description
Trovebox version <= 4.0.0-rc6 contains a Unsafe password reset token generation vulnerability in user component that can result in Password reset. This attack appear to be exploitable via HTTP request. This vulnerability appears to have been fixed in after commit 742b8ed.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://telekomsecurity.github.io/2018/04/trovebox-vulnerabilities.html
Scores
CVSS v3
9.8
EPSS
0.0121
EPSS Percentile
64.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-640
Status
published
Products (2)
trovebox/trovebox
4.0.0 rc2 (3 CPE variants)
trovebox/trovebox
< 3.0.0
Published
Jun 26, 2018
Tracked Since
Feb 18, 2026