CVE-2021-44152

CRITICAL NUCLEI

Reprisesoftware Reprise License Manager - Missing Authentication

Title source: rule

Description

An issue was discovered in Reprise RLM 14.2. Because /goform/change_password_process does not verify authentication or authorization, an unauthenticated user can change the password of any existing user. This allows an attacker to change the password of any known user, thereby preventing valid users from accessing the system and granting the attacker full access to that user's account.

Nuclei Templates (1)

Reprise License Manager 14.2 - Authentication Bypass

CRITICALVERIFIEDby Akincibor

Shodan: http.html:"Reprise License Manager" || http.html:"reprise license" || http.html:"reprise license manager"

FOFA: body="reprise license manager" || body="reprise license"

References (3)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/165186/Reprise-License-Manager-14.2-Unauthenticated-Password-Change.html

[Patch, Product, Vendor Advisory] https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes

[Vendor Advisory] https://www.reprisesoftware.com/RELEASE_NOTES

Scores

CVSS v3 9.8

EPSS 0.8667

EPSS Percentile 99.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-306

Status published

Products (1)

reprisesoftware/reprise_license_manager < 15.1

Published Dec 13, 2021

Tracked Since Feb 18, 2026