CVE-2016-3735 — HIGH (8.1) — White Hats Nepal

Q: How severe is CVE-2016-3735?

CVE-2016-3735 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2016-3735?

Check the references section above for vendor advisories and patch information. Affected products include: Piwigo Piwigo.

Vulnerability Description

Piwigo is image gallery software written in PHP. When a criteria is not met on a host, piwigo defaults to usingmt_rand in order to generate password reset tokens. mt_rand output can be predicted after recovering the seed used to generate it. This low an unauthenticated attacker to take over an account providing they know an administrators email address in order to be able to request password reset.

CVSS Score

8.1

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Piwigo	Piwigo	< 2.8.1

Related Weaknesses (CWE)

CWE-335

References

FAQ

What is CVE-2016-3735?

CVE-2016-3735 is a vulnerability with a CVSS score of 8.1 (HIGH). Piwigo is image gallery software written in PHP. When a criteria is not met on a host, piwigo defaults to usingmt_rand in order to generate password reset tokens. mt_rand output can be predicted after...

How severe is CVE-2016-3735?

CVE-2016-3735 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2016-3735?

Check the references section above for vendor advisories and patch information. Affected products include: Piwigo Piwigo.