CVE-2016-3735
Last modified
CVE-2016-3735 is a high-severity vulnerability rated 8.1/10 on the CVSS scale. Piwigo is image gallery software written in PHP. When a criteria is not met on a host, piwigo defaults to usingmt_rand in order to generate password reset tokens. EPSS estimates a 1.36% chance of exploitation in the next 30 days.
Description
Piwigo is image gallery software written in PHP. When a criteria is not met on a host, piwigo defaults to usingmt_rand in order to generate password reset tokens. mt_rand output can be predicted after recovering the seed used to generate it. This low an unauthenticated attacker to take over an account providing they know an administrators email address in order to be able to request password reset.
Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Piwigo | Piwigo | < 2.8.1 |
References
- https://github.com/Piwigo/Piwigo/commit/f51ee90c66527fd7ff634f3e8d414cb670da068dPatch, Third Party Advisory
- https://github.com/Piwigo/Piwigo/commit/f51ee90c66527fd7ff634f3e8d414cb670da068dPatch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2016-3735?
How severe is CVE-2016-3735?
How do I fix CVE-2016-3735?
Are you affected by CVE-2016-3735?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST