Description
HumHub is an Open Source Enterprise Social Network. In affected versions users who are forced to change their password by an administrator may retrieve other users' data. This issue has been resolved by commit `eb83de20`. It is recommended that the HumHub is upgraded to 1.11.0, 1.10.4 or 1.9.4. There are no known workarounds for this issue.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_confirm
https://github.com/humhub/humhub/security/advisories/GHSA-2h35-f226-3f57
Patch, Third Party Advisory x_refsource_misc
https://github.com/humhub/humhub/commit/eb83de20aaecc559ab77a44a6179646a99607e33
Exploit, Patch, Third Party Advisory x_refsource_misc
https://huntr.dev/bounties/89d996a2-de30-4261-8e3f-98e54cb25f76/
Scores
CVSS v3
6.5
EPSS
0.0034
EPSS Percentile
56.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-200
CWE-863
Status
published
Products (1)
humhub/humhub
< 1.9.4
Published
Apr 20, 2022
Tracked Since
Feb 18, 2026