We found results for “”
WS-2023-0072
Date: January 24, 2023
In FusionCMS (FusionGen), it was discovered that the password recovery feature on the website is vulnerable to predictable key and password generation. An attacker is able to predict the key used in the password recovery process and the generated password itself by using a specific PHP command and the user's email and username. An attacker can gain access to a user's account by predicting the key and generated password. This can potentially lead to sensitive information being compromised. The key generation process should be made more secure by using a cryptographically secure algorithm and adding a unique and unpredictable salt. The password generation process should also be made more secure by using a cryptographically secure random number generator.
Language: PHP
Severity Score
Severity Score
Weakness Type (CWE)
Use of Password Hash With Insufficient Computational Effort
CWE-916CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | NONE |
User Interaction (UI): | NONE |
Scope (S): | UNCHANGED |
Confidentiality (C): | HIGH |
Integrity (I): | LOW |
Availability (A): | HIGH |