Description
admin/accounts/AccountActions.asp in Hosting Controller 2002 RC 1 allows remote attackers to modify passwords of other users, probably via an "Update User" ActionType with a modified UserName parameter and the PassCheck parameter set to TRUE. It was later reported that the vulnerability is present in 6.1 Hotfix 3.3 and earlier.
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by BugReport.IR · textwebappsasp
https://www.exploit-db.com/exploits/4730
References (9)
Core 9
Core References
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/28973
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/485028/100/0/threaded
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/429731/100/0/threaded
Various Sources x_refsource_confirm
http://hostingcontroller.com/english/logs/Post-Hotfix-3_3-sec-Patch-ReleaseNotes.html
Exploit, Third Party Advisory exploit
x_refsource_exploit-db
https://www.exploit-db.com/exploits/4730
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/26862
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://www.osvdb.org/24773
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/25673
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/39038
Scores
EPSS
0.0114
EPSS Percentile
78.6%
Details
Status
published
Products (2)
hosting_controller/hosting_controller
2002_rc_1
hosting_controller/hosting_controller
< 6.1_hotfix_3.3
Published
Apr 05, 2006
Tracked Since
Feb 18, 2026