Weak password requirements in Admidio

#VU61476 Weak password requirements in Admidio

Published: 2022-03-20

Vulnerability identifier: #VU61476

Vulnerability risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-521

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Admidio
Web applications / CMS

Vendor: Admidio

Description

The vulnerability allows an attacker to compromise the affected account.

The vulnerability exists due to an error in the password change functionality, which did not reset all user's session after password change. An attacker who compromised user's session can retain access to the victim's account even after password change.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Admidio: 4.1.0 - 4.1.8

External links
http://github.com/Admidio/admidio/releases/tag/v4.1.9

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Security restrictions bypass in Admidio