CVE-2023-50172: 
PHP vulnerability analysis and mitigation

A recovery notification bypass vulnerability exists in the userRecoverPass.php captcha validation functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to the silent creation of a recovery pass code for any user. The vulnerability was discovered by Claudio Bozzato of Cisco Talos and was disclosed on January 10, 2024 (Talos Report).

The vulnerability exists in the password recovery functionality implemented in objects/userRecoverPass.php. When a user requests a password reset, the code generates a recovery code and attempts to send it via email to the user. However, due to improper validation logic, the recovery code is set in the user object even when the CAPTCHA validation fails. This implementation flaw allows an attacker to set a recovery code without triggering the email notification to the legitimate user (Talos Report). The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) (NVD).

The vulnerability allows an attacker to silently create recovery pass codes for any user account without the legitimate user being notified via email. This could be exploited in conjunction with other vulnerabilities to potentially gain unauthorized access to user accounts (Talos Report).

The vulnerability was patched on December 18, 2023. Users should update to a version after commit 15fed957fb to address this security issue (Talos Report).