CVE-2024-6890
HIGHJournyx - Unauthenticated Password Reset Token Brute-Force via Insecure Randomness
Title source: llmDescription
Password reset tokens are generated using an insecure source of randomness. Attackers who know the username of the Journyx installation user can bruteforce the password reset and change the administrator password.
References (2)
Core 2
Core References
Mailing List
http://seclists.org/fulldisclosure/2024/Aug/5
Exploit, Third Party Advisory third-party-advisory
https://korelogic.com/Resources/Advisories/KL-001-2024-007.txt
Scores
CVSS v3
8.8
EPSS
0.0072
EPSS Percentile
48.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-799
CWE-321
CWE-334
CWE-798
Status
published
Products (1)
journyx/journyx
11.5.4
Published
Aug 07, 2024
Tracked Since
Feb 18, 2026