CVE-2018-16988
9.8 CRITICALAn issue was discovered in Open XDMoD through 7.5.0
Published: 2019-05-02 · Last updated: 2026-06-08
Severity and scoring
- CVSS
- 9.8 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-640
Affected products
| Vendor | Product |
|---|---|
| buffalo | open_xdmod |
Description
An issue was discovered in Open XDMoD through 7.5.0. An authentication bypass (account takeover) exists due to a weak password reset mechanism. A brute-force attack against an MD5 rid value requires only 600 guesses in the plausible situation where the attacker knows that the victim has started a password-reset process (pass_reset.php, password_reset.php, XDUser.php) in the past few minutes.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-45779 — OpenXDMoD is an open framework for collecting and analyzing HPC metrics (9.8 CRITICAL)
- CVE-2026-45778 — OpenXDMoD is an open framework for collecting and analyzing HPC metrics (5.4 MEDIUM)
- CVE-2026-45777 — OpenXDMoD is an open framework for collecting and analyzing HPC metrics (9.8 CRITICAL)
- CVE-2026-45776 — OpenXDMoD is an open framework for collecting and analyzing HPC metrics (4.3 MEDIUM)
Same CWE
- CVE-2026-50635 — LimeSurvey constructs account password-reset links from the client-supplied HTTP Host header without validating it (8.8 HIGH)
- CVE-2026-10169 — A vulnerability was detected in OUSL-GROUP-BrinaryBrains School Student Management System up to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6 (3.7 LOW)
- CVE-2026-7459 — The Simple History – Track, Log, and Audit WordPress Changes plugin for WordPress is vulnerable to authenticated (Subscriber+) account ta... (7.5 HIGH)
- CVE-2026-35676 — phpMyFAQ before 4.1.3 contains an unauthenticated password reset vulnerability in the user password update API endpoint that allows attac... (8.2 HIGH)
- CVE-2026-9609 — A vulnerability was identified in QianFox FoxCMS up to 1.2.6 (4.7 MEDIUM)