CVE-2019-19857

Name of the Vulnerable Software and Affected Versions Serpico version 1.3.0

Description The issue allows an admin to change their password without providing the current password by utilizing interfaces outside the Change Password screen. This is particularly problematic when combined with cross-site scripting (XSS) attacks, as it undermines the security enhancement of requiring the admin to enter their old password on the Change Password screen.

Recommendations For Serpico version 1.3.0, consider restricting access to interfaces that allow password changes outside the Change Password screen as a temporary workaround until a patch is available. Additionally, ensure that all users, especially admins, are cautious when clicking on links or providing sensitive information to minimize the risk of XSS exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.