Unverified Password Change

CVE-2022-21934

High

8/10

Summary

Under certain circumstances an authenticated user could lock other users out of the system or take over their accounts in Metasys ADS/ADX/OAS server 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS server 11 versions prior to 11.0.2.

Attack Complexity: LOW
Attack Vector: ADJACENT_NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-620 - Unverified Password Change

When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.

References

Advisory Timeline

Published May 06, 2022

Unverified Password Change

CVE-2022-21934

Summary

CWE-620 - Unverified Password Change

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS