Weak Password Recovery Mechanism for Forgotten Password

CVE-2021-25961

High

8/10

Summary

In “SuiteCRM” application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links that is associated with a deleted user id, which makes it possible for account takeover of any newly created user with the same user id.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: REQUIRED
Privileges Required: LOW
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-640 - Weak Password Recovery Mechanism for Forgotten Password

The software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

References

Advisory Timeline

Published Sep 29, 2021

Weak Password Recovery Mechanism for Forgotten Password

CVE-2021-25961

Summary

CWE-640 - Weak Password Recovery Mechanism for Forgotten Password

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS