CVE-2024-28143
Dec. 13, 2024, 4:15 p.m.
Tags
CVSS Score
Product(s) Impacted
UNKNOWN
Description
The password change function at /cgi/admin.cgi does not require the current/old password, which makes the application vulnerable to account takeover. An attacker can use this to forcefully set a new password within the -rsetpass+-aaction+- parameter for a user without knowing the old password, e.g. by exploiting a CSRF issue.
Weaknesses
CWE-620
Unverified Password Change
When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.
CWE ID: 620Date
Published: Dec. 12, 2024, 2:15 p.m.
Last Modified: Dec. 13, 2024, 4:15 p.m.
Status : Awaiting Analysis
CVE has been recently published to the CVE List and has been received by the NVD.
More infoSource
551230f0-3615-47bd-b7cc-93e92e730bbf
CVSS Data
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
Exploitability Score
Impact Score
Base Severity
HIGHCVSS Vector String
The CVSS vector string provides an in-depth view of the vulnerability metrics.
View Vector StringCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H