CVE-2018-25177

Name of the Vulnerable Software and Affected Versions Data Center Audit version 2.6.2

Description The software contains a cross-site request forgery condition that permits attackers to reset administrator passwords without authentication. This is achieved by submitting specially designed POST requests. Attackers can send requests to the /dca resetpw.php endpoint with the following parameters: updateuser, pass, pass2, and submit reset to modify the admin account password and obtain administrative access.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the /dca resetpw.php endpoint to authorized users only.