Exponent CMS 2.3.5-Change My Password Vulnerability
Reported by Sachin Wagh | December 24th, 2015 @ 09:02 AM | in 2.3.6 (closed)
Information
Vulnerability Type : Exponent CMS 2.3.5-Change My Password
Vulnerability
Vulnerable Version : 2.3.5
CVE-ID :
Severity: High
Author – Sachin Wagh (@tiger_tigerboy)
Description
Exponent CMS allows to change password without knowing current password.
Credits & Authors
Sachin Wagh (@tiger_tigerboy)
Comments and changes to this ticket
-
dleffler December 24th, 2015 @ 01:40 PM
- Tag set to “users”
- Assigned user changed from “expNinja” to “dleffler”
- Milestone set to “2.3.6”
What you are reporting is that a logged on administrator can change their own password without knowing their current password. This can only occur after they have successfully logged on with their correct password.
Though not a security issue, it doesn't appear logical, so we'll fix this.
-
expNinja December 24th, 2015 @ 01:42 PM
- State changed from “new” to “resolved”
(from [0e476784cc440bea73abe1f065c68fbba699ee59]) Fix issue where admin user can change their own password without entering their current password [#1321 state:resolved] https://github.com/exponentcms/exponent-cms/commit/0e476784cc440bea...
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create new ticket
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
Bug Tracker for Exponent CMS
expNinja