ГлавнаяУязвимости → CVE-2024-28143
8.4высокая

CVE-2024-28143

Описание

The password change function at /cgi/admin.cgi does not require the current/old password, which makes the application vulnerable to account takeover. An attacker can use this to forcefully set a new password within the -rsetpass+-aaction+- parameter for a user without knowing the old password, e.g. by exploiting a CSRF issue.

CVSS
Балл8.4 — высокая
ВекторCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Источники
https://r.sec-consult.com/imageaccesshttps://www.imageaccess.de/?page=SupportPortal&lang=enhttp://seclists.org/fulldisclosure/2024/Dec/2