CVE-2020-27422 - In Anuko Time Tracker v1.19.23.5311, the password reset link emailed to the user doesn't expire once

CVE-2020-27422

Summary

In Anuko Time Tracker v1.19.23.5311, the password reset link emailed to the user doesn't expire once used, allowing an attacker to use the same link to takeover the account.

References

https://packetstormsecurity.com/files/160051/Anuko-Time-Tracker-1.19.23.5311-Password-Reset.html
https://www.anuko.com/time-tracker/index.htm

Vulnerable Configurations

cpe:2.3:a:anuko:time_tracker:-:*:*:*:*:*:*:*
cpe:2.3:a:anuko:time_tracker:-:*:*:*:*:*:*:*
cpe:2.3:a:anuko:time_tracker:1.19.23.5311:*:*:*:*:*:*:*
cpe:2.3:a:anuko:time_tracker:1.19.23.5311:*:*:*:*:*:*:*

CVSS

Base:	7.5 (as of 30-11-2020 - 21:34)
Impact:
Exploitability:

CWE

CWE-613

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

refmap via4

misc

https://packetstormsecurity.com/files/160051/Anuko-Time-Tracker-1.19.23.5311-Password-Reset.html
https://www.anuko.com/time-tracker/index.htm

Last major update

30-11-2020 - 21:34

Published

16-11-2020 - 16:15

Last modified

30-11-2020 - 21:34