Vulnerability CVE-2021-44152


Published: 2021-12-13

Description:
An issue was discovered in Reprise RLM 14.2. Because /goform/change_password_process does not verify authentication or authorization, an unauthenticated user can change the password of any existing user. This allows an attacker to change the password of any known user, thereby preventing valid users from accessing the system and granting the attacker full access to that user's account.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
Reprise License Manager 14.2 Unauthenticated Password Change
Andreas Fyhn And...
08.12.2021

Type:

CWE-287

(Improper Authentication)

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Reprisesoftware -> Reprise license manager 

 References:
https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes
http://packetstormsecurity.com/files/165186/Reprise-License-Manager-14.2-Unauthenticated-Password-Change.html

Copyright 2022, cxsecurity.com

 

Back to Top