Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntrNehalr77702207C8F-2B15-4A31-A86A-74FD2FCA0ED1
HistorySep 26, 2022 - 4:32 p.m.

No password confirmation on sensitive action like email change

2022-09-2616:32:00
nehalr777
www.huntr.dev
11
sensitive actions
email change
password confirmation
bug bounty

EPSS

0.002

Percentile

59.6%

JSON

Description

It is important to implement password checks on sensitive features like email change

Proof of Concept

1) Go to https://rdiffweb-demo.ikus-soft.com/login/ 
2) Use the credentials admin , admin123 and login into your account 
3) Navigate to the endpoint https://rdiffweb-demo.ikus-soft.com/prefs/general 
4) Change the email and save changes
5) You will notice that there is no password confirmation during this sensitive action 

Mitigation: There must be a password confirmation on sensitive actions like email change

Related

veracode 1
osv 3
prion 1
cvelist 1
github 1
cve 1
nvd 1
veracode
veracode
Insecure Session Management
2022-10-20 08:18:33
osv
osv
Rdiffweb is missing authentication for critical function
2022-10-20 12:00:17
PYSEC-2022-42977
2022-10-20 00:15:00
CVE-2022-3327
2022-10-20 00:15:09
prion
prion
Authentication flaw
2022-10-20 00:15:00
cvelist
cvelist
CVE-2022-3327 Missing Authentication for Critical Function in ikus060/rdiffweb
2022-10-19 00:00:00
github
github
Rdiffweb is missing authentication for critical function
2022-10-20 12:00:17
cve
cve
CVE-2022-3327
2022-10-20 00:15:09
nvd
nvd
CVE-2022-3327
2022-10-20 00:15:09

EPSS

0.002

Percentile

59.6%

JSON
Related for 02207C8F-2B15-4A31-A86A-74FD2FCA0ED1
veracode1osv3prion1cvelist1github1cve1nvd1