Overview
Dovestones Software AD Self Password Reset, version 3.0.3.0 and earlier, fails to properly validate users, which enables an unauthenticated attacker to reset passwords for arbitrary accounts.
Description
CWE-284: Improper Access Control - CVE-2015-8267 Dovestones Software AD Self Password Reset contains a vulnerable method PasswordReset.Controllers.ResetController.ChangePasswordIndex() in PasswordReset.dll that fails to validate the requesting user. An attacker can reset passwords for arbitrary accounts by manipulating web application requests that call the vulnerable method. |
Impact
A remote, unauthenticated attacker can reset passwords for arbitrary accounts where usernames are known or can be guessed. |
Solution
Apply an update |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
| Temporal | 5.9 | E:POC/RL:OF/RC:C |
| Environmental | 1.5 | CDP:ND/TD:L/CR:ND/IR:ND/AR:ND |
References
Acknowledgements
Thanks to Adam Caudill for reporting this vulnerability.
This document was written by Joel Land.
Other Information
| CVE IDs: | CVE-2015-8267 |
| Date Public: | 2015-12-18 |
| Date First Published: | 2015-12-18 |
| Date Last Updated: | 2015-12-18 16:43 UTC |
| Document Revision: | 11 |