PT-2021-15158 · Unknown · Icx35-Hwc-A+1

Maxim Rupp

Published

2021-02-26

Updated

2021-03-05

CVE-2021-22661

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions ICX35-HWC-A versions 1.9.62 and prior ICX35-HWC-E versions 1.9.62 and prior

Description The issue allows the password to be changed without requiring the current password, potentially enabling unauthorized changes by users or external processes. This is due to the lack of a requirement to enter the current password when changing it on the module webpage.

Recommendations For versions 1.9.62 and prior of ICX35-HWC-A and ICX35-HWC-E, consider implementing a workaround that requires the current password to be entered before changing it, or restrict access to the password change functionality until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-264

Related Identifiers

CVE-2021-22661

Affected Products

Icx35-Hwc-A

Icx35-Hwc-E

PT-2021-15158 · Unknown · Icx35-Hwc-A+1

CVE-2021-22661

Weakness Enumeration

Related Identifiers

Affected Products

References · 5