Weak password requirements in MISP - CVE-2021-25323
Published: January 19, 2021 / Updated: February 9, 2021
MISP
Detailed vulnerability description
The vulnerability allows an attacker to perform unauthorized password change.
The vulnerability exists due to the default MISP setting did not enable the requirements (aka require_password_confirmation) to provide the previous password when changing a password.
An attacker with access to the current victim's session set a new password for the victim's account.