CVE-2020-28597 — HIGH (7.5)

Vulnerability Description

A predictable seed vulnerability exists in the password reset functionality of Epignosis EfrontPro 5.2.21. By predicting the seed it is possible to generate the correct password reset 1-time token. An attacker can visit the password reset supplying the password reset token to reset the password of an account of their choice.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Epignosishq	Efront	5.2.17

Related Weaknesses (CWE)

CWE-335 CWE-337

References

https://talosintelligence.com/vulnerability_reports/TALOS-2020-1221Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1221Third Party Advisory

FAQ

What is CVE-2020-28597?

CVE-2020-28597 is a vulnerability with a CVSS score of 7.5 (HIGH). A predictable seed vulnerability exists in the password reset functionality of Epignosis EfrontPro 5.2.21. By predicting the seed it is possible to generate the correct password reset 1-time token. An...

How severe is CVE-2020-28597?

CVE-2020-28597 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-28597?

Check the references section above for vendor advisories and patch information. Affected products include: Epignosishq Efront.