{"id":"CVE-2018-16988","details":"An issue was discovered in Open XDMoD through 7.5.0. An authentication bypass (account takeover) exists due to a weak password reset mechanism. A brute-force attack against an MD5 rid value requires only 600 guesses in the plausible situation where the attacker knows that the victim has started a password-reset process (pass_reset.php, password_reset.php, XDUser.php) in the past few minutes.","modified":"2026-04-10T04:08:56.332770Z","published":"2019-05-02T20:29:00.617Z","references":[{"type":"ADVISORY","url":"https://github.com/grymer/CVE/blob/master/CVE-2018-16988.md"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ubccr/xdmod","events":[{"introduced":"0"},{"last_affected":"61ed4f4e25c10a9570f5660757ed56788614266b"},{"introduced":"0"},{"last_affected":"201aeb0da7adba04c6585f29d414686ff52a8109"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"7.0.1"},{"introduced":"0"},{"last_affected":"7.5.0-NA"}]}}],"versions":["v6.6.0-beta.1","v6.6.0-beta.2","v7.0.0","v7.0.1","v7.1.0-alpha.1","v7.5.0","v7.5.0-rc.1","v7.5.0-rc.2"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"7.5.0-rc1"}]},{"events":[{"introduced":"0"},{"last_affected":"7.5.0-rc2"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-16988.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}