Hi Everyone, recently I’ve discovered vulnerability in SeedDMS engine which could let attacker to takeover any account (Including Administrator). Without further wasting your time let’s dive into the details. CWE-640: Weak Password Recovery Mechanism for Forgotten Password CWE-770: Allocation of Resources Without Limits or Throttling Application allows user to reset password by visiting the URL … Continue reading Weak password reset token leads to account takeover in SeedDMS – My First CVE – CVE-2022-44938