PT-2008-6363 · Unknown · Wportfolio

G4N0K

Published

2008-11-25

Updated

2017-09-29

CVE-2008-5221

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions wPortfolio versions 0.3 and earlier

Description The issue concerns the account save action in the admin/userinfo.php file, which does not require authentication and does not demand knowledge of the original password. This allows remote attackers to change the admin account password by modifying the password and password retype parameters.

Recommendations For wPortfolio versions 0.3 and earlier, consider disabling the account save action in admin/userinfo.php until a patch is available. Restrict access to the admin/userinfo.php file to minimize the risk of exploitation. Avoid using the password and password retype parameters in the affected action until the issue is resolved.

Exploit

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

CVE-2008-5221

Affected Products

Wportfolio

PT-2008-6363 · Unknown · Wportfolio

CVE-2008-5221

Weakness Enumeration

Related Identifiers

Affected Products

References · 6