Unverified Password Change
CVE-2025-22381
Summary
Aggie 2.6.1 has a Host Header injection vulnerability in the forgot password functionality, allowing an attacker to reset a user's password.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- HIGH
- LOW
CWE-620 - Unverified Password Change
When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.
References
Advisory Timeline
- Published
