CVE-2008-6524

Name of the Vulnerable Software and Affected Versions openInvoice versions 0.90 beta and earlier

Description The issue allows remote authenticated users to change the passwords of arbitrary users by modifying the uid parameter in the resetpass.php file. This can be exploited in conjunction with a separate vulnerability in auth.php to modify passwords without authentication.

Recommendations For openInvoice versions 0.90 beta and earlier, avoid using the resetpass.php file until a patch is available. As a temporary workaround, consider restricting access to the resetpass.php file to prevent unauthorized password changes. Additionally, restrict the use of the uid parameter in the resetpass.php file to minimize the risk of exploitation.