Weak password requirements in Admidio - #VU61476

 

Weak password requirements in Admidio - #VU61476

Published: March 20, 2022


Vulnerability identifier: #VU61476
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-521
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Admidio
Affected software:
Admidio

Detailed vulnerability description

The vulnerability allows an attacker to compromise the affected account.

The vulnerability exists due to an error in the password change functionality, which did not reset all user's session after password change. An attacker who compromised user's session can retain access to the victim's account even after password change.


Remediation

Install updates from vendor's website.

Sources