PT-2014-6239 · Dell · Dell Sonicwall Scrutinizer

Brandonprry

Published

2014-07-16

Updated

2018-03-12

CVE-2014-4976

CVSS v2.0

5.5

Medium

Vector

AV:N/AC:L/Au:S/C:N/I:P/A:P

Name of the Vulnerable Software and Affected Versions Dell SonicWall Scrutinizer version 11.0.1

Description The issue allows remote authenticated users to change user passwords. This is achieved by modifying the savePrefs parameter in a change password request to the "cgi-bin/admin.cgi" endpoint, specifically by utilizing the user ID.

Recommendations For Dell SonicWall Scrutinizer version 11.0.1, consider restricting access to the "cgi-bin/admin.cgi" endpoint until a patch is available. As a temporary workaround, avoid using the user ID in the savePrefs parameter to minimize the risk of exploitation.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-264

Related Identifiers

CVE-2014-4976

Affected Products

Dell Sonicwall Scrutinizer

PT-2014-6239 · Dell · Dell Sonicwall Scrutinizer

CVE-2014-4976

Weakness Enumeration

Related Identifiers

Affected Products

References · 8