The password change function at /cgi/admin.cgi does not...
High severity
Unreviewed
Published
Dec 12, 2024
to the GitHub Advisory Database
•
Updated Dec 13, 2024
Description
Published by the National Vulnerability Database
Dec 12, 2024
Published to the GitHub Advisory Database
Dec 12, 2024
Last updated
Dec 13, 2024
The password change function at /cgi/admin.cgi does not require the current/old password, which makes the application vulnerable to account takeover. An attacker can use this to forcefully set a new password within the -rsetpass+-aaction+- parameter for a user without knowing the old password, e.g. by exploiting a CSRF issue.
References