CVE-2023-34357

HIGH

Scshr HR Portal - Password Reset Weakness

Title source: rule

Description

Soar Cloud Ltd. HR Portal has a weak Password Recovery Mechanism for Forgotten Password. The reset password link sent out through e-mail, and the link will remain valid after the password has been reset and after the expected expiration date. An attacker with access to the browser history or has the line can thus use the URL again to change the password in order to take over the account.

References (1)

[Third Party Advisory] https://www.twcert.org.tw/tw/cp-132-7347-2653e-1.html

Scores

CVSS v3 7.8

EPSS 0.0003

EPSS Percentile 7.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-640

Status published

Products (2)

scshr/hr_portal 7.3.2023.0510

scshr/hr_portal 7.3.2023.0705

Published Sep 07, 2023

Tracked Since Feb 18, 2026