Authentication flaw

2008-11-2518:30:00

PRIOn knowledge base

www.prio-n.com

7.6 High

AI Score

Confidence

Low

0.046 Low

EPSS

Percentile

92.6%

JSON

The account_save action in admin/userinfo.php in wPortfolio 0.3 and earlier does not require authentication and does not require knowledge of the original password, which allows remote attackers to change the admin account password via modified password and password_retype parameters.

CPENameOperatorVersion
wportfoliole0.3
wportfolioeq0.2

CPE	Name	Operator	Version
	wportfolio	le	0.3
	wportfolio	eq	0.2

References

securityreason.com/securityalert/4631

www.securityfocus.com/bid/32384

www.vupen.com/english/advisories/2008/3219

exchange.xforce.ibmcloud.com/vulnerabilities/46772

www.exploit-db.com/exploits/7170