An attacker can access to "Forgot my password" button, as soon as he puts users is valid in the system, the system would issue a message that a password reset email had been sent to user. This way you can verify which users are in the system and which are not.
References
Link | Resource |
---|---|
https://www.gov.il/en/departments/faq/cve_advisories | Third Party Advisory |
https://www.gov.il/en/departments/faq/cve_advisories | Third Party Advisory |
Configurations
History
21 Nov 2024, 06:48
Type | Values Removed | Values Added |
---|---|---|
References | () https://www.gov.il/en/departments/faq/cve_advisories - Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : 4.0
v3 : 5.5 |
Information
Published : 2022-07-06 14:15
Updated : 2024-11-21 06:48
NVD link : CVE-2022-23172
Mitre link : CVE-2022-23172
CVE.ORG link : CVE-2022-23172
JSON object : View
Products Affected
priority-software
- priority
CWE
CWE-640
Weak Password Recovery Mechanism for Forgotten Password