CVE-2018-19437

Name of the Vulnerable Software and Affected Versions UCMS version 1.4.7

Description The issue allows remote authenticated users to change the administrator password. This is possible because the software uses the value of $ COOKIE['admin '.cookiehash] for arbitrary cookie values that are set and not empty.

Recommendations For UCMS version 1.4.7, consider restricting access to the administrator password change functionality until a proper fix is applied, and ensure that cookie values are properly validated to prevent unauthorized changes.