CVE-2007-3630 - changePW.php in AV Tutorial Script (avtutorial) 1.0 does not require authentication or knowledge of

CVE-2007-3630

Summary

changePW.php in AV Tutorial Script (avtutorial) 1.0 does not require authentication or knowledge of an old password for password changes, which allows remote attackers to change passwords for arbitrary users via a modified password parameter.

References

http://attrition.org/pipermail/vim/2007-July/001705.html
http://osvdb.org/42461
http://www.securityfocus.com/bid/24808
https://exchange.xforce.ibmcloud.com/vulnerabilities/35295
https://www.exploit-db.com/exploits/4163

Vulnerable Configurations

cpe:2.3:a:av_scripts:av_tutorial_script:1.0:*:*:*:*:*:*:*
cpe:2.3:a:av_scripts:av_tutorial_script:1.0:*:*:*:*:*:*:*

CVSS

Base:	6.4 (as of 29-09-2017 - 01:29)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	NONE

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:N

refmap via4

bid	24808
exploit-db	4163
osvdb	42461
vim	20070710 AVTutorial 1.0 changePW.php vulnerabilities
xf	avtutorialscript-changepw-data-manipulation(35295)

Last major update

29-09-2017 - 01:29

Published

10-07-2007 - 00:30

Last modified

29-09-2017 - 01:29