CVE-2016-7903
Published on: 01/04/2017 12:00:00 AM UTC
Last Modified on: 03/23/2021 11:27:06 PM UTC
Certain versions of Dotclear from Dotclear contain the following vulnerability:
Dotclear before 2.10.3, when the Host header is not part of the web server routing process, allows remote attackers to modify the password reset address link via the HTTP Host header.
- CVE-2016-7903 has been assigned by
[email protected] to track the vulnerability - currently rated as LOW severity.
CVSS3 Score: 3.7 - LOW
Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
|
---|---|---|---|---|
NETWORK | HIGH | NONE | NONE | |
Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
|
UNCHANGED | NONE | LOW | NONE |
CVSS2 Score: 4.3 - MEDIUM
Access Vector ⓘ |
Access Complexity |
Authentication |
---|---|---|
NETWORK | MEDIUM | NONE |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
NONE | PARTIAL | NONE |
CVE References
Description | Tags ⓘ | Link |
---|---|---|
oss-security - CVE-2016-7903: Dotclear <= 2.10.2 Password Reset Address Spoof | Mailing List www.openwall.com text/html |
![]() |
Dotclear 2.10.3 › Dotclear News › Dotclear › Blog management made easy | Patch Vendor Advisory dotclear.org text/html |
![]() |
Dotclear: changeset 3352:bb06343f4247 | Patch web.archive.org text/html Inactive LinkNot Archived |
![]() |
Dotclear 'admin/auth.php' Password Reset Security Bypass Vulnerability | cve.report (archive) text/html |
![]() |
There are currently no QIDs associated with this CVE
Known Affected Configurations (CPE V2.3)
Type | Vendor | Product | Version | Update | Edition | Language |
---|---|---|---|---|---|---|
Application | Dotclear | Dotclear | All | All | All | All |
- cpe:2.3:a:dotclear:dotclear:*:*:*:*:*:*:*:*:
No vendor comments have been submitted for this CVE