Strix
26.1K

CVE-2020-10102

MEDIUMCVSS 5.3/10EPSS 0.70%

Last modified

CVE-2020-10102 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. An issue was discovered in Zammad 3.0 through 3.2. The Forgot Password functionality is implemented in a way that would enable an anonymous user to guess valid user emails. EPSS estimates a 0.70% chance of exploitation in the next 30 days.

Description

An issue was discovered in Zammad 3.0 through 3.2. The Forgot Password functionality is implemented in a way that would enable an anonymous user to guess valid user emails. In the current implementation, the application responds differently depending on whether the input supplied was recognized as associated with a valid user. This behavior could be used as part of a two-stage automated attack. During the first stage, an attacker would iterate through a list of account names to determine which correspond to valid accounts. During the second stage, the attacker would use a list of common passwords to attempt to brute force credentials for accounts that were recognized by the system in the first stage.

Metrics

CVSS 3.1
5.3/10

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Probability
0.70%

48.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
ZammadZammad>= 1.0.0, <= 3.2.0

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2020-10102?
An issue was discovered in Zammad 3.0 through 3.2. The Forgot Password functionality is implemented in a way that would enable an anonymous user to guess valid user emails. In the current implementation, the application responds differently depending on whether the input supplied was recognized as associated with a valid user. This behavior could be used as part of a two-stage automated attack. During the first stage, an attacker would iterate through a list of account names to determine which correspond to valid accounts. During the second stage, the attacker would use a list of common passwords to attempt to brute force credentials for accounts that were recognized by the system in the first stage.
How severe is CVE-2020-10102?
CVE-2020-10102 has a CVSS score of 5.3/10 (MEDIUM severity). The EPSS model estimates a 0.70% probability of exploitation in the next 30 days.
How do I fix CVE-2020-10102?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-10102?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST