CVE-2020-14015

Name of the Vulnerable Software and Affected Versions Navigate CMS version 2.9 r1433

Description An issue was discovered that allows unauthorized users to reset passwords without a valid activation code. When no activation code is supplied during a password reset, the system permits the user to continue setting a password, which results in the password being set for the most recently created user in the system, i.e., the user with the highest user id.

Recommendations For Navigate CMS version 2.9 r1433, as a temporary workaround, consider disabling the password reset functionality until a patch is available. Restrict access to the password reset module to minimize the risk of exploitation. Avoid using the password reset feature until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.