Incorrect Access Control – CVE-2017-8916
Released June 16, 2017
Available for CIS-CAT Pro Dashboard
Affected Product Base:
CIS-CAT Pro Dashboard - 1.0.0, fixed in 1.0.4
CIS-CAT Pro Dashboard - 1.0.1, fixed in 1.0.4
CIS-CAT Pro Dashboard - 1.0.2, fixed in 1.0.4
CIS-CAT Pro Dashboard - 1.0.3, fixed in 1.0.4
Incorrect Access Control
An authenticated user is able to change an administrative user's e-mail address and send a forgot password email to themselves, thereby gaining administrative access.
To exploit this vulnerability, a user must be logged in to the system.