Dovestones Software AD Self Password Reset, version 18.104.22.168 and earlier, fails to properly validate users, which enables an unauthenticated attacker to reset passwords for arbitrary accounts.
CWE-284: Improper Access Control - CVE-2015-8267
Dovestones Software AD Self Password Reset contains a vulnerable method PasswordReset.Controllers.ResetController.ChangePasswordIndex() in PasswordReset.dll that fails to validate the requesting user. An attacker can reset passwords for arbitrary accounts by manipulating web application requests that call the vulnerable method.
A remote, unauthenticated attacker can reset passwords for arbitrary accounts where usernames are known or can be guessed.
Apply an update
Thanks to Adam Caudill for reporting this vulnerability.
This document was written by Joel Land.
|Date First Published:||2015-12-18|
|Date Last Updated:||2015-12-18 16:43 UTC|