QwikSec

Security Database

CVE

CWE

Training

CVE-2024-7659

Published: Aug 11, 2024

Modified: Aug 13, 2024

PUBLISHED

CVSS v3.1

3.7

LOW

Description

A vulnerability, which was classified as problematic, was found in projectsend up to r1605. Affected is the function generate_random_string of the file includes/functions.php of the component Password Reset Token Handler. The manipulation leads to insufficiently random values. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. Upgrading to version r1720 is able to address this issue. The name of the patch is aa27eb97edc2ff2b203f97e6675d7b5ba0a22a17. It is recommended to upgrade the affected component.

Vendor	Product	Versions
n/a	projectsend	affected `r1605`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

References

VDB-274116 | projectsend Password Reset Token functions.php generate_random_string random values

vdb-entry

technical-description

VDB-274116 | CTI Indicators (IOB, IOC, TTP, IOA)

signature

permissions-required

Submit #385004 | ProjectSend ProjectSend file sharing web application r1605 Authentication Bypass Issues

third-party-advisory

https://github.com/projectsend/projectsend/commit/aa27eb97edc2ff2b203f97e6675d7b5ba0a22a17

patch

https://github.com/projectsend/projectsend/releases/tag/r1720

patch

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.