CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-30935
https://notcve.org/view.php?id=CVE-2022-30935
28 Sep 2022 — An authorization bypass in b2evolution allows remote, unauthenticated attackers to predict password reset tokens for any user through the use of a bad randomness function. This allows the attacker to get valid sessions for arbitrary users, and optionally reset their password. Tested and confirmed in a default installation of version 7.2.3. Earlier versions are affected, possibly earlier major versions as well. Una omisión de autorización en b2evolution permite a atacantes remotos no autenticados predecir to... • https://b2evolution.net/downloads/7-2-5-stable • CWE-330: Use of Insufficiently Random Values •
CVSS: 8.8EPSS: 3%CPEs: 1EXPL: 4CVE-2021-28242 – b2evolution 7-2-2 - 'cf_name' SQL Injection
https://notcve.org/view.php?id=CVE-2021-28242
15 Apr 2021 — SQL Injection in the "evoadm.php" component of b2evolution v7.2.2-stable allows remote attackers to obtain sensitive database information by injecting SQL commands into the "cf_name" parameter when creating a new filter under the "Collections" tab. Una inyección SQL en el componente "evoadm.php" de b2evolution versión v7.2.2-stable, permite a atacantes remotos obtener información confidencial de la base de datos al inyectar comandos SQL en el parámetro "cf_name" al crear un nuevo filtro en la pestaña "Colec... • https://packetstorm.news/files/id/162489 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •