漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
blueprintUE: Password Reset Tokens Have No Expiry Window
Vulnerability Description
blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a password reset is initiated, a 128-character CSPRNG token is generated and stored alongside a password_reset_at timestamp. However, the token redemption function findUserIDFromEmailAndToken() queries only for a matching email + password_reset token pair — it does not check whether the password_reset_at timestamp has elapsed any maximum window. A generated reset token is valid indefinitely until it is explicitly consumed or overwritten by a subsequent reset request. This vulnerability is fixed in 4.2.0.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Vulnerability Type
忘记口令恢复机制弱
Vulnerability Title
blueprintUE self-hosted edition 安全漏洞
Vulnerability Description
blueprintUE self-hosted edition是blueprintUE开源的一个自托管的数据建模与可视化工具。 blueprintUE self-hosted edition 4.2.0之前版本存在安全漏洞,该漏洞源于密码重置令牌生成后,findUserIDFromEmailAndToken函数仅查询匹配的电子邮件和密码重置令牌对,未检查password_reset_at时间戳是否超过任何最大窗口,可能导致生成的重置令牌在明确使用或被后续重置请求覆盖之前无限期有效。
CVSS Information
N/A
Vulnerability Type
N/A