CVE-2014-6607 - M/Monit 3.3.2 and earlier does not verify the original password before changing passwords, which all

CVE-2014-6607

Summary

M/Monit 3.3.2 and earlier does not verify the original password before changing passwords, which allows remote attackers to change the password of other users and gain privileges via the fullname and password parameters, a different vulnerability than CVE-2014-6409.

References

http://packetstormsecurity.com/files/128321/M-Monit-3.2.2-Cross-Site-Request-Forgery.html
http://seclists.org/fulldisclosure/2014/Sep/71
http://www.exploit-db.com/exploits/34718

Vulnerable Configurations

cpe:2.3:a:mmonit:m\/monit:*:*:*:*:*:*:*:*
cpe:2.3:a:mmonit:m\/monit:*:*:*:*:*:*:*:*

CVSS

Base:	7.5 (as of 07-10-2014 - 23:18)
Impact:
Exploitability:

CWE

CWE-255

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

refmap via4

exploit-db	34718
fulldisc	20140919 M/Monit - Account hijacking via CSRF
misc	http://packetstormsecurity.com/files/128321/M-Monit-3.2.2-Cross-Site-Request-Forgery.html

Last major update

07-10-2014 - 23:18

Published

06-10-2014 - 23:55

Last modified

07-10-2014 - 23:18