Incorrect Access Control – CVE-2017-8916

Released June 16, 2017

Available for CIS-CAT Pro Dashboard

Affected Product Base:

CIS-CAT Pro Dashboard - 1.0.0, fixed in 1.0.4
CIS-CAT Pro Dashboard - 1.0.1, fixed in 1.0.4
CIS-CAT Pro Dashboard - 1.0.2, fixed in 1.0.4
CIS-CAT Pro Dashboard - 1.0.3, fixed in 1.0.4

Vulnerability Type:

Incorrect Access Control

Description:

An authenticated user is able to change an administrative user's e-mail address and send a forgot password email to themselves, thereby gaining administrative access.

Attack Type:

Local
To exploit this vulnerability, a user must be logged in to the system.

Reporter:

Ken Cijsouw