PT-2018-18843 · Iomega+1 · Iomega+1

Published

2018-09-28

Updated

2019-01-07

CVE-2018-9082

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier

Description The password changing functionality does not require the user's current password to set a new one, allowing attackers with access to the user's session tokens to change their password and retain access to the user's account.

Recommendations For versions 4.1.402.34662 and earlier, consider disabling the password changing functionality until a fix is available, and restrict access to user accounts to minimize the risk of exploitation.

Fix

Session Fixation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-384

Related Identifiers

CVE-2018-9082

Affected Products

Iomega

Lenovoemc Nas

PT-2018-18843 · Iomega+1 · Iomega+1

CVE-2018-9082

Weakness Enumeration

Related Identifiers

Affected Products

References · 3