CVE-2024-28143

HIGH Year: 2024
CVSS v3 Score
8.4
High
Weakness Type
CWE-620
View all →

Vulnerability Description

The password change function at /cgi/admin.cgi does not require the current/old password, which makes the application vulnerable to account takeover. An attacker can use this to forcefully set a new password within the -rsetpass+-aaction+- parameter for a user without knowing the old password, e.g. by exploiting a CSRF issue.

Related Vulnerabilities

CVE-2024-27715

HIGH
CVSS:8.2(High)

An issue in Eskooly Free Online School management Software v.3.0 and before allows a remote attacker to escalate privileges via a crafted request to the Password Change mechanism.

CWE-6202024

CVE-2024-13373

HIGH
CVSS:8.1(High)

The Exertio Framework plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.1. This is due to the plugin not properly validating a u...

CWE-6202024

CVE-2017-14005

HIGH
CVSS:8.8(High)

An Unverified Password Change issue was discovered in ProMinent MultiFLEX M10a Controller web interface. When setting a new password for a user, the application does not require the user to know the o...

CWE-6202017

CVE-2018-8916

HIGH
CVSS:8.8(High)

Unverified password change vulnerability in Change Password in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote authenticated users to reset password without verification.

CWE-6202018

CVE-2022-21934

HIGH
CVSS:8.8(High)

Under certain circumstances an authenticated user could lock other users out of the system or take over their accounts in Metasys ADS/ADX/OAS server 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS...

CWE-6202022

CVE-2024-33699

HIGH
CVSS:8.8(High)

The LevelOne WBR-6012 router's web application has a vulnerability in its firmware version R0.40e6, allowing attackers to change the administrator password and gain higher privileges without the curre...

CWE-6202024