CVE-2021-44152

Name of the Vulnerable Software and Affected Versions: Reprise RLM version 14.2

Description: An issue was discovered where the "/goform/change password process" API endpoint does not verify authentication or authorization, allowing an unauthenticated user to change the password of any existing user. This enables an attacker to change the password of any known user, preventing valid users from accessing the system and granting the attacker full access to that user's account.

Recommendations: For Reprise RLM version 14.2, as a temporary workaround, consider restricting access to the "/goform/change password process" API endpoint until a patch is available. Additionally, monitor user account activity for any suspicious password changes. At the moment, there is no information about a newer version that contains a fix for this vulnerability.