CVE-2020-27422
CRITICALCVSS 9.8/10EPSS 7.76%
Last modified
CVE-2020-27422 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. In Anuko Time Tracker v1.19.23.5311, the password reset link emailed to the user doesn't expire once used, allowing an attacker to use the same link to takeover the account.. EPSS estimates a 7.76% chance of exploitation in the next 30 days.
Description
In Anuko Time Tracker v1.19.23.5311, the password reset link emailed to the user doesn't expire once used, allowing an attacker to use the same link to takeover the account.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Anuko | Time Tracker | <= 1.19.23.5311 |
References
- https://packetstormsecurity.com/files/160051/Anuko-Time-Tracker-1.19.23.5311-Password-Reset.htmlThird Party Advisory, VDB Entry
- https://www.anuko.com/time-tracker/index.htmProduct, Vendor Advisory
- https://packetstormsecurity.com/files/160051/Anuko-Time-Tracker-1.19.23.5311-Password-Reset.htmlThird Party Advisory, VDB Entry
- https://www.anuko.com/time-tracker/index.htmProduct, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-27422?
In Anuko Time Tracker v1.19.23.5311, the password reset link emailed to the user doesn't expire once used, allowing an attacker to use the same link to takeover the account.
How severe is CVE-2020-27422?
CVE-2020-27422 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 7.76% probability of exploitation in the next 30 days.
How do I fix CVE-2020-27422?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2020-27422?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST