An issue was discovered in Navigate CMS 2.9 r1433. When performing a password reset, a user is emailed an activation code that allows them…
mitre·CWE-640·Published 2020-06-24
An issue was discovered in Navigate CMS 2.9 r1433. When performing a password reset, a user is emailed an activation code that allows them to reset their password. There is, however, a flaw when no activation code is supplied. The system will allow an unauthorized user to continue setting a password, even though no activation code was supplied, setting the password for the most recently created user in the system (the user with the highest user id).
An issue was discovered in Navigate CMS 2.9 r1433. When performing a password reset, a user is emailed an activation code that allows them to reset their password. There is, however, a flaw when no activation code is supplied. The system will allow an unauthorized user to continue setting a password, even though no activation code was supplied, setting the password for the most recently created user in the system (the user with the highest user id).
Se detectó un problema en Navigate CMS versión 2.9 r1433. Al realizar un restablecimiento de contraseña, un usuario recibe un correo electrónico con un código de activación que le permite restablecer su contraseña. Sin embargo, se presenta un fallo cuando no se suministra un código de activación. El sistema permitirá a un usuario no autorizado continuar configurando una contraseña, a pesar de que no se proporcionó un código de activación, configurando la contraseña para el usuario creado más recientemente en el sistema (el usuario con el id de usuario más alta)
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | NVD | 5.0 | 10.0 | 2.9 | AV:N/AC:L/Au:N/C:N/I:P/A:N |
| 3.1 | Primary | NVD | 7.5 | 3.9 | 3.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |