A vulnerability, which was classified as critical, has been found in the Reset Password Add-On up to 1.1.x on Alfresco.
Forgot password of the Alfresco account? Alfresco Reset Password add-on allows users to reset their password comfortably.
It works as follow: user clicks reset password button then he writes his email address, after that he will receive the email message with the unique link that allows to go and set a new password. The link will be expired in 24th or after setting a new password.
This issue affects an unknown function. The manipulation with an unknown input leads to a sql injection vulnerability. Using CWE to declare the problem leads to CWE-89 .
Impacted is confidentiality, integrity, and availability. An attacker might be able inject and/or alter existing SQL statements which would influence the database exchange.
The weakness was published 09/17/2020. The identification of this vulnerability is CVE-2020-25727 .
The attack may be initiated remotely. Neither technical details nor an exploit are publicly available.
Upgrading to version 1.2.0 eliminates this vulnerability.