{"id":"CVE-2018-16988","details":"An issue was discovered in Open XDMoD through 7.5.0. An authentication bypass (account takeover) exists due to a weak password reset mechanism. A brute-force attack against an MD5 rid value requires only 600 guesses in the plausible situation where the attacker knows that the victim has started a password-reset process (pass_reset.php, password_reset.php, XDUser.php) in the past few minutes.","modified":"2026-05-18T05:50:27.536307918Z","published":"2019-05-02T20:29:00.617Z","database_specific":{"unresolved_ranges":[{"source":"CPE_FIELD","cpes":["cpe:2.3:a:xdmod:open_xdmod:7.5.0:rc1:*:*:*:*:*:*","cpe:2.3:a:xdmod:open_xdmod:7.5.0:rc2:*:*:*:*:*:*"],"vendor_product":"xdmod:open_xdmod","extracted_events":[{"last_affected":"7.5.0-rc1"},{"last_affected":"7.5.0-rc2"}]}]},"references":[{"type":"ADVISORY","url":"https://github.com/grymer/CVE/blob/master/CVE-2018-16988.md"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ubccr/xdmod","events":[{"introduced":"0"},{"last_affected":"61ed4f4e25c10a9570f5660757ed56788614266b"},{"last_affected":"201aeb0da7adba04c6585f29d414686ff52a8109"}],"database_specific":{"source":"CPE_FIELD","cpe":["cpe:2.3:a:xdmod:open_xdmod:*:*:*:*:*:*:*:*","cpe:2.3:a:xdmod:open_xdmod:7.5.0:-:*:*:*:*:*:*"],"extracted_events":[{"introduced":"0"},{"last_affected":"7.0.1"},{"last_affected":"7.5.0-NA"}]}}],"versions":["v7.0.1","v7.5.0","v7.5.0-rc.2","v7.5.0-rc.1","v7.1.0-alpha.1","v7.0.0","v6.6.0-beta.2","v6.6.0-beta.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-16988.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}