Vulnerability Details CVE-2015-8707
Password reset tokens in Magento CE before 1.9.2.2, and Magento EE before 1.14.2.2 are passed via a GET request and not canceled after use, which allows remote attackers to obtain user passwords via a crafted external service with access to the referrer field.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 42.7%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 5.0
References
Products affected by CVE-2015-8707
-
cpe:2.3:a:magento:magento:1.14.1.0
-
cpe:2.3:a:magento:magento:1.14.2.1
-
cpe:2.3:a:magento:magento:1.9.1.0
-
cpe:2.3:a:magento:magento:1.9.2.1