Miggo Logo
Miggo Vulnerability Database
CVE-2023-28821

CVE-2023-28821: Missing rate limit for password resets

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-28821
GHSA ID
GHSA-ph6g-6v8w-8p6m
EPSS Score
0.37228%
CWE
CWE-640
Published
4/28/2023
Updated
1/30/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
concrete5/concrete5composer< 9.1.09.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing rate limiting in password reset handling. In MVC frameworks like Concrete CMS, this would typically be implemented in the controller method processing the reset request. The advisory explicitly states the fix required a new library added in 9.1.0, indicating the vulnerable code was in the pre-patch password reset submission handler. While exact commit details aren't provided, the controller action managing password resets (commonly ForgotPassword::submit) is the logical location for this security control gap.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*on*r*t* *MS (pr*viously *on*r*t**) ***or* *.* *i* not **v* * r*t* limit *or p*sswor* r*s*ts.

Reasoning

T** vuln*r**ility st*ms *rom missin* r*t* limitin* in p*sswor* r*s*t **n*lin*. In MV* *r*m*works lik* *on*r*t* *MS, t*is woul* typi**lly ** impl*m*nt** in t** *ontroll*r m*t*o* pro**ssin* t** r*s*t r*qu*st. T** **visory *xpli*itly st*t*s t** *ix r*qu