Issues » Insecure random number generation in password reset token

Issue: SI-66
Date: Nov 30, 2022, 12:00:00 AM
Severity: High
Requires Admin Access: No
Fix Version: 22.12+, LTS 21.06.12+, LTS 22.03.4+
Credit: Omkar Bhagwat

dotCMS password reset token is generated using an insecure method randomAlphanumeric() which is not cryptographically secure and can be brute-forced. This may lead an attacker to gain access to admin account by requesting a password reset token of herself and admin back to back. Attacker shall then receive the password reset token in email and leverages brute force technique to generate the subsequent token (which is for admin).

This vulnerability was introduced in dotCMS version 5.3.0.  Users of versions before that are not affected by this vulnerability report.

  • Upgrade to one of the versions of dotCMS listed above:
    • 22.12
    • LTS 21.06.12
    • LTS 22.03.4
  • Use a WAF to prevent POSTs to the /api/v1/changePassword
  • CVE-2022-45782