{"id":"CVE-2020-28874","details":"reset-password.php in ProjectSend before r1295 allows remote attackers to reset a password because of incorrect business logic. Errors are not properly considered (an invalid token parameter).","modified":"2026-07-10T04:01:15.278593940Z","published":"2021-01-26T18:15:51.020Z","database_specific":{},"references":[{"type":"ADVISORY","url":"https://github.com/projectsend/projectsend/releases/tag/r1295"},{"type":"FIX","url":"https://github.com/projectsend/projectsend/commit/440204734e9a1687cb9887e1c887173d23c5a93e"},{"type":"FIX","url":"https://github.com/projectsend/projectsend/commits/master"},{"type":"EVIDENCE","url":"https://github.com/varandinawer/CVE-2020-28874"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/projectsend/projectsend","events":[{"introduced":"0"},{"fixed":"1ec836a08d8c71d1347cc08552ee7b3bd218f21f"},{"fixed":"440204734e9a1687cb9887e1c887173d23c5a93e"}],"database_specific":{"cpe":"cpe:2.3:a:projectsend:projectsend:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"r1295"}],"source":["CPE_RANGE","REFERENCES"]}}],"versions":["r1270","r1070","r1053","r756","r754","r753","r559"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-28874.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}