CVE-2020-10102

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2020-10102

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-10102.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-10102

Published

2020-03-05T01:15:11.957Z

Modified

2026-03-14T09:48:00.021097Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

An issue was discovered in Zammad 3.0 through 3.2. The Forgot Password functionality is implemented in a way that would enable an anonymous user to guess valid user emails. In the current implementation, the application responds differently depending on whether the input supplied was recognized as associated with a valid user. This behavior could be used as part of a two-stage automated attack. During the first stage, an attacker would iterate through a list of account names to determine which correspond to valid accounts. During the second stage, the attacker would use a list of common passwords to attempt to brute force credentials for accounts that were recognized by the system in the first stage.

References

https://zammad.com/news/security-advisory-zaa-2020-07

Affected packages

Git / github.com/zammad/zammad

Affected ranges

Type

GIT

Repo

https://github.com/zammad/zammad

Events

Introduced

9bdf6d7b816d4e55501e13d12dc0d9b53cf16f5c

Last affected

e0ff35cb1492d1fd09f971ead0426ea6acbbef30

Database specific

{
    "versions": [
        {
            "introduced": "1.0.0"
        },
        {
            "last_affected": "3.2.0"
        }
    ]
}

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-10102.json"