Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2015-10071: Fix EZP-24140: Potential vulnerability in eZ Publish password recovery · gitter-badger/ezpublish-modern-legacy@5908d5e

A vulnerability was found in gitter-badger ezpublish-modern-legacy. It has been rated as problematic. This issue affects some unknown processing of the file kernel/user/forgotpassword.php. The manipulation leads to weak password recovery. Upgrading to version 1.0 is able to address this issue. The name of the patch is 5908d5ee65fec61ce0e321d586530461a210bf2a. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-218951.

CVE
Open in Source
#vulnerability#git#php#ssl

Skip to content

Sign up

    • Actions

      Automate any workflow

    • Packages

      Host and manage packages

    • Security

      Find and fix vulnerabilities

    • Codespaces

      Instant dev environments

    • Copilot

      Write better code with AI

    • Code review

      Manage code changes

    • Issues

      Plan and track work

    • Discussions

      Collaborate outside of code

*   Explore
*   All features
*   Documentation
*   GitHub Skills
*   Blog

    • For

    • Enterprise

    • Teams

    • Startups

    • Education

    • By Solution

    • CI/CD & Automation

    • DevOps

    • DevSecOps

    • Case Studies

    • Customer Stories

    • Resources

    • GitHub Sponsors

      Fund open source developers

*   The ReadME Project
    
    GitHub community articles
    

*   Repositories
*   Topics
*   Trending
*   Collections

  • Pricing

  • In this repository All GitHub

  • No suggested jump to results

  • In this repository All GitHub

  • In this user All GitHub

  • In this repository All GitHub

Sign in

Sign up

gitter-badger / ezpublish-modern-legacy Public

  • Notifications
  • Fork 0
  • Star 0
  • Code
  • Pull requests
  • Actions
  • Projects
  • Wiki
  • Security
  • Insights

More

Permalink

Browse files

Fix EZP-24140: Potential vulnerability in eZ Publish password recovery

Use openssl_random_pseudo_bytes() if available, otherwise fall back to mt_rand(). Use microtime() for entropy.

  • Loading branch information

glye committed

May 11, 2015

1 parent 7d72ff9 commit 5908d5ee65fec61ce0e321d586530461a210bf2a

Showing 1 changed file with 5 additions and 1 deletion.

6 kernel/user/forgotpassword.php

Show comments View file

@@ -113,7 +113,11 @@

$user = $users[0];

$time = time();

$userID = $user->id();

$hashKey = md5( $userID . ‘:’ . $time . ‘:’ . mt_rand() );

$hashKey = md5(

$userID . ‘:’ . microtime() . ‘:’ .

( function_exists( “openssl_random_pseudo_bytes” ) ?

openssl_random_pseudo_bytes( 32 ) : mt_rand() )

);

// Create forgot password object

if ( eZOperationHandler::operationIsAvailable( ‘user_forgotpassword’ ) )

0 comments on commit 5908d5e

Please sign in to comment.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE