CVE-2019-15749

Name of the Vulnerable Software and Affected Versions SITOS six Build version 6.2.1

Description The issue allows a user to change their password and recovery email address without confirming the change with their old password. This could be exploited by an attacker with access to the victim's account, for example, via XSS or an unattended workstation, to change the password and address.

Recommendations For SITOS six Build version 6.2.1, consider implementing a confirmation step for password and recovery email address changes, requiring the user to enter their old password to authorize the change. As a temporary workaround, restrict access to account settings to minimize the risk of exploitation.