Home > Vulnerability Database > WS-2023-0072

Mend.io Vulnerability Database

WS-2023-0072

Date: January 24, 2023

In FusionCMS (FusionGen), it was discovered that the password recovery feature on the website is vulnerable to predictable key and password generation. An attacker is able to predict the key used in the password recovery process and the generated password itself by using a specific PHP command and the user's email and username. An attacker can gain access to a user's account by predicting the key and generated password. This can potentially lead to sensitive information being compromised. The key generation process should be made more secure by using a cryptographically secure algorithm and adding a unique and unpredictable salt. The password generation process should also be made more secure by using a cryptographically secure random number generator.

Language: PHP

Severity Score

9.4

Related Resources (2)

Url: https://github.com/fusiongen/fusiongen/commit/4909c506a58f208a86f15676039c3bceeb02ee53

Url: https://www.mend.io/vulnerability-database/WS-2023-0072

Severity Score

9.4

Weakness Type (CWE)

Use of Password Hash With Insufficient Computational Effort

CWE-916

CVSS v3.1

Base Score:	9.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	LOW
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

WS-2023-0072

Date: January 24, 2023

Language: PHP

Severity Score

Related Resources (2)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?