Vulnerability Note VU#757840
Dovestones Software AD Self Password Reset fails to properly restrict password reset request to authorized users
Dovestones Software AD Self Password Reset, version 18.104.22.168 and earlier, fails to properly validate users, which enables an unauthenticated attacker to reset passwords for arbitrary accounts.
CWE-284: Improper Access Control - CVE-2015-8267
Dovestones Software AD Self Password Reset contains a vulnerable method PasswordReset.Controllers.ResetController.ChangePasswordIndex() in PasswordReset.dll that fails to validate the requesting user. An attacker can reset passwords for arbitrary accounts by manipulating web application requests that call the vulnerable method.
A remote, unauthenticated attacker can reset passwords for arbitrary accounts where usernames are known or can be guessed.
Apply an update
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Dovestones Software||Affected||19 Oct 2015||18 Dec 2015|
CVSS Metrics (Learn More)
Thanks to Adam Caudill for reporting this vulnerability.
This document was written by Joel Land.
- CVE IDs: CVE-2015-8267
- Date Public: 18 Dec 2015
- Date First Published: 18 Dec 2015
- Date Last Updated: 18 Dec 2015
- Document Revision: 10
If you have feedback, comments, or additional information about this vulnerability, please send us email.