CVE-2020-26061

HIGH

Clickstudios Passwordstate < 8.5 - Missing Authentication

Title source: rule

Description

ClickStudios Passwordstate Password Reset Portal prior to build 8501 is affected by an authentication bypass vulnerability. The ResetPassword function does not validate whether the user has successfully authenticated using security questions. An unauthenticated, remote attacker can send a crafted HTTP request to the /account/ResetPassword page to set a new password for any registered user.

Exploits (1)

nomisec WORKING POC

by missing0x00 · poc

https://github.com/missing0x00/CVE-2020-26061

View Code ZIP pw:eip

References (2)

Core 2

Core References

Release Notes, Vendor Advisory x_refsource_misc

https://www.clickstudios.com.au/passwordstate-changelog.aspx

Exploit, Third Party Advisory x_refsource_misc

https://github.com/missing0x00/CVE-2020-26061

Scores

CVSS v3 7.5

EPSS 0.0678

EPSS Percentile 91.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-306

Status published

Products (1)

clickstudios/passwordstate < 8.5

Published Oct 05, 2020

Tracked Since Feb 18, 2026