CVE-2023-50172: Weak Password Recovery Mechanism for Forgotten Password

January 10, 2024 (updated January 12, 2024)

A recovery notification bypass vulnerability exists in the userRecoverPass.php captcha validation functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to the silent creation of a recovery pass code for any user.

References

github.com/WWBN/AVideo/commit/15fed957fb64b4055158acfc449bd7974346edb5
github.com/advisories/GHSA-8m5f-2xvp-2c8w
nvd.nist.gov/vuln/detail/CVE-2023-50172
talosintelligence.com/vulnerability_reports/TALOS-2023-1897

Detect and mitigate CVE-2023-50172 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →