Vulnerability CVE-2020-26061


Published: 2020-10-05

Description:
ClickStudios Passwordstate Password Reset Portal prior to build 8501 is affected by an authentication bypass vulnerability. The ResetPassword function does not validate whether the user has successfully authenticated using security questions. An unauthenticated, remote attacker can send a crafted HTTP request to the /account/ResetPassword page to set a new password for any registered user.

Type:

CWE-640

(Weak Password Recovery Mechanism for Forgotten Password)

CVSS2 => (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None
Affected software
Clickstudios -> Passwordstate 

 References:
https://github.com/missing0x00/CVE-2020-26061
https://www.clickstudios.com.au/passwordstate-changelog.aspx

Copyright 2024, cxsecurity.com

 

Back to Top