We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
The password change function at /cgi/admin.cgi does not require the current/old password, which makes the application vulnerable to account takeover. An attacker can use this to forcefully set a new password within the -rsetpass+-aaction+- parameter for a user without knowing the old password, e.g. by exploiting a CSRF issue.
Reserved 2024-03-05 | Published 2024-12-12 | Updated 2024-12-13 | Assigner SEC-VLabCWE-620 Unverified Password Change
Daniel Hirschberger (SEC Consult Vulnerability Lab)
Tobias Niemann (SEC Consult Vulnerability Lab)
r.sec-consult.com/imageaccess
www.imageaccess.de/?page=SupportPortal&lang=en
Support options