PT-2019-14369 · Sitos · Sitos Six

Published

2019-10-07

Updated

2019-10-09

CVE-2019-15749

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions SITOS six Build version 6.2.1

Description The issue allows a user to change their password and recovery email address without confirming the change with their old password. This could be exploited by an attacker with access to the victim's account, for example, via XSS or an unattended workstation, to change the password and address.

Recommendations For SITOS six Build version 6.2.1, consider implementing a confirmation step for password and recovery email address changes, requiring the user to enter their old password to authorize the change. As a temporary workaround, restrict access to account settings to minimize the risk of exploitation.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-640

Related Identifiers

CVE-2019-15749

Affected Products

Sitos Six

PT-2019-14369 · Sitos · Sitos Six

CVE-2019-15749

Weakness Enumeration

Related Identifiers

Affected Products

References · 3