Описание
Bludit prior to 3.9.1 allows a non-privileged user to change the password of any account, including admin. This occurs because of bl-kernel/admin/controllers/user-password.php Insecure Direct Object Reference (a modified username POST parameter).
Ссылки
- PatchThird Party Advisory
- Release NotesThird Party Advisory
- PatchThird Party Advisory
- Release NotesThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 3.9.1 (исключая)
cpe:2.3:a:bludit:bludit:*:*:*:*:*:*:*:*
EPSS
Процентиль: 51%
0.00284
Низкий
8.8 High
CVSS3
6.5 Medium
CVSS2
Дефекты
CWE-639
Связанные уязвимости
CVSS3: 8.8
github
больше 3 лет назад
Bludit prior to 3.9.1 allows a non-privileged user to change the password of any account, including admin. This occurs because of bl-kernel/admin/controllers/user-password.php Insecure Direct Object Reference (a modified username POST parameter).
EPSS
Процентиль: 51%
0.00284
Низкий
8.8 High
CVSS3
6.5 Medium
CVSS2
Дефекты
CWE-639