CVE-2020-26061

Published: Oct 5, 2020Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

ClickStudios Passwordstate Password Reset Portal prior to build 8501 is affected by an authentication bypass vulnerability. The ResetPassword function does not validate whether the user has successfully authenticated using security questions. An unauthenticated, remote attacker can send a crafted HTTP request to the /account/ResetPassword page to set a new password for any registered user.

Affected (1)

Products: Clickstudios: Passwordstate

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Clickstudios Passwordstate	Before 8.5

Related CWEs

Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

References (4)

https://github.com/missing0x00/CVE-2020-26061

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.clickstudios.com.au/passwordstate-changelog.aspx

Source: cve@mitre.org

Release NotesVendor Advisory

https://github.com/missing0x00/CVE-2020-26061

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://www.clickstudios.com.au/passwordstate-changelog.aspx

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

Timeline

No history available yet.