CVE-2019-11332

Name of the Vulnerable Software and Affected Versions MKCMS version 5.0

Description The issue allows remote attackers to take control of arbitrary user accounts. This is achieved by posting a username and an e-mail address to the "ucenter/repass.php" endpoint, which then triggers the transmission of the password via e-mail.

Recommendations For MKCMS version 5.0, as a temporary workaround, consider disabling the password recovery function in "ucenter/repass.php" until a patch is available. Restrict access to the "ucenter/repass.php" endpoint to minimize the risk of exploitation. Avoid using the username and e-mail address parameters in the affected endpoint until the issue is resolved.