CVE-2021-34574

Name of the Vulnerable Software and Affected Versions: mymbCONNECT24 versions through 2.11.2 mbCONNECT24 versions through 2.11.2 Helmholz myREX24 versions through 2.11.2 myREX24.virtual versions through 2.11.2

Description: An authenticated attacker can change the password of their account into a new password that violates the password policy by intercepting and modifying the request sent to the server.

Recommendations: For mymbCONNECT24 versions through 2.11.2, consider disabling password change functionality until a patch is available. For mbCONNECT24 versions through 2.11.2, restrict access to password modification features to minimize the risk of exploitation. For Helmholz myREX24 versions through 2.11.2, avoid using the password change feature in the affected API endpoint until the issue is resolved. For myREX24.virtual versions through 2.11.2, as a temporary workaround, consider implementing additional validation on password changes to enforce the password policy.