CVE-2019-19857

MEDIUM

Serpico 1.3.0 - Improper Authentication via Alternative Password Change Interface

Title source: llm
STIX 2.1

Description

An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. An admin can change their password without providing the current password, by using interfaces outside the Change Password screen. Thus, requiring the admin to enter an Old Password value on the Change Password screen does not enhance security. This is problematic in conjunction with XSS.

References (1)

Core 1
Core References
Third Party Advisory x_refsource_misc
https://websec.nl/news.php

Scores

CVSS v3 6.5
EPSS 0.0086
EPSS Percentile 54.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Details

CWE
CWE-287
Status published
Products (1)
serpico_project/serpico 1.3.0
Published Jan 15, 2020
Tracked Since Feb 18, 2026