CVE-2015-8267

Name of the Vulnerable Software and Affected Versions Dovestones AD Self Password Reset versions prior to 3.0.4.0

Description The issue is related to the PasswordReset.Controllers.ResetController.ChangePasswordIndex method in PasswordReset.dll, which has inadequate access control. This allows remote attackers to reset arbitrary passwords via a crafted request with a valid username.

Recommendations For versions prior to 3.0.4.0, update to version 3.0.4.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the PasswordReset.Controllers.ResetController.ChangePasswordIndex method until a patch is available. Avoid using the username variable in the affected API endpoint until the issue is resolved.