CVE-2020-15181 – Admin account takeover in Alfresco Reset Password
https://notcve.org/view.php?id=CVE-2020-15181
The Alfresco Reset Password add-on before version 1.2.0 relies on untrusted inputs in a security decision. Intruders can get admin's access to the system using the vulnerability in the project. Impacts all servers where this add-on is installed. The problem is fixed in version 1.2.0 El add-on Alfresco Reset Password versiones anteriores a 1.2.0, se basa en entradas no confiables en una decisión de seguridad. Los intrusos pueden conseguir acceso de administrador al sistema usando la vulnerabilidad en el proyecto. • https://github.com/FlexSolution/AlfrescoResetPassword/commit/5927b9651356c4cd952cb9b485292583d305b47c https://github.com/FlexSolution/AlfrescoResetPassword/security/advisories/GHSA-xrc8-fjp4-h4fv • CWE-20: Improper Input Validation CWE-284: Improper Access Control •
CVE-2020-25728
https://notcve.org/view.php?id=CVE-2020-25728
The Reset Password add-on before 1.2.0 for Alfresco has a broken algorithm (involving an increment) that allows a malicious user to change any user's account password include the admin account. El add-on Reset Password versiones anteriores a 1.2.0 para Alfresco, presenta un algoritmo roto (que implica un incremento) que permite a un usuario malicioso cambiar la contraseña de la cuenta de cualquier usuario, incluyendo la cuenta de administrador • https://amriunix.com/post/alfresco-reset-password-add-on-0-day-vulnerabilities • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •