CVE-2016-0783

7.5HIGH

Key Information:

Vendor: Apache
Status: Openmeetings
Vendor: CVE Published:; 11 April 2016

Summary

The sendHashByUser function in Apache OpenMeetings before 3.1.1 generates predictable password reset tokens, which makes it easier for remote attackers to reset arbitrary user passwords by leveraging knowledge of a user name and the current system time.

References

http://haxx.ml/post/141655340521/all-your-meetings-are-be...

x_refsource_MISC

http://packetstormsecurity.com/files/136432/Apache-OpenMe...

x_refsource_MISC

https://www.apache.org/dist/openmeetings/3.1.1/CHANGELOG

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 11, 2016
Vulnerability Reserved
Dec 16, 2015

.