search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Dovestones Software AD Self Password Reset fails to properly restrict password reset request to authorized users

Vulnerability Note VU#757840

Original Release Date: 2015-12-18 | Last Revised: 2015-12-18


Dovestones Software AD Self Password Reset, version and earlier, fails to properly validate users, which enables an unauthenticated attacker to reset passwords for arbitrary accounts.


CWE-284: Improper Access Control - CVE-2015-8267

Dovestones Software AD Self Password Reset contains a vulnerable method PasswordReset.Controllers.ResetController.ChangePasswordIndex() in PasswordReset.dll that fails to validate the requesting user. An attacker can reset passwords for arbitrary accounts by manipulating web application requests that call the vulnerable method.


A remote, unauthenticated attacker can reset passwords for arbitrary accounts where usernames are known or can be guessed.


Apply an update

The vendor has released version and has worked directly with customers to address this and other vulnerabilities. Users are encouraged to update to the latest version.

Vendor Information


Dovestones Software Affected

Notified:  October 19, 2015 Updated: December 18, 2015



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

CVSS Metrics

Group Score Vector
Base 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal 5.9 E:POC/RL:OF/RC:C
Environmental 1.5 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND



Thanks to Adam Caudill for reporting this vulnerability.

This document was written by Joel Land.

Other Information

CVE IDs: CVE-2015-8267
Date Public: 2015-12-18
Date First Published: 2015-12-18
Date Last Updated: 2015-12-18 16:43 UTC
Document Revision: 11

Sponsored by CISA.