{ "affected": [ { "database_specific": { "unresolved_ranges": [ { "events": [ { "introduced": "0" }, { "last_affected": "7.5.0-rc1" } ] }, { "events": [ { "introduced": "0" }, { "last_affected": "7.5.0-rc2" } ] } ] }, "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "last_affected": "7.0.1" }, { "introduced": "0" }, { "last_affected": "7.5.0-NA" } ] }, "events": [ { "introduced": "0" }, { "last_affected": "61ed4f4e25c10a9570f5660757ed56788614266b" }, { "introduced": "0" }, { "last_affected": "201aeb0da7adba04c6585f29d414686ff52a8109" } ], "repo": "https://github.com/ubccr/xdmod", "type": "GIT" } ] } ], "details": "An issue was discovered in Open XDMoD through 7.5.0. An authentication bypass (account takeover) exists due to a weak password reset mechanism. A brute-force attack against an MD5 rid value requires only 600 guesses in the plausible situation where the attacker knows that the victim has started a password-reset process (pass_reset.php, password_reset.php, XDUser.php) in the past few minutes.", "id": "CVE-2018-16988", "modified": "2026-03-13T21:53:02.480683239Z", "published": "2019-05-02T20:29:00.617Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/grymer/CVE/blob/master/CVE-2018-16988.md" } ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "type": "CVSS_V3" } ] }