CVE-2020-25566

Name of the Vulnerable Software and Affected Versions: SapphireIMS version 5.0

Description: The issue allows for account takeover by sending a request to the "Save Password" form. This can be done without requiring a JSESSIONID, enabling the reset of any user's password by modifying the username to the target user and the password to base64 encoded desired password.

Recommendations: For SapphireIMS version 5.0, as a temporary workaround, consider restricting access to the Save Password form until a patch is available. Avoid using the Save Password form to reset passwords until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.