Vulnerability identifier: #VU61476
Vulnerability risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-521
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Admidio
Web applications /
CMS
Vendor: Admidio
Description
The vulnerability allows an attacker to compromise the affected account.
The vulnerability exists due to an error in the password change functionality, which did not reset all user's session after password change. An attacker who compromised user's session can retain access to the victim's account even after password change.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Admidio: 4.1.0 - 4.1.8
External links
http://github.com/Admidio/admidio/releases/tag/v4.1.9
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.