CVE-2023-3222 Information

Description

Vulnerability in the password recovery mechanism of Password Recovery plugin for Roundcube in its 1.2 version which could allow a remote attacker to change an existing user´s password by adding a 6-digit numeric token. An attacker could create an automatic script to test all possible values because the platform has no limit on the number of requests.

Reference

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-roundcube-password-recovery-plugin