CVE-2024-28143

HIGH

- - CSRF

Title source: llm

Description

The password change function at /cgi/admin.cgi does not require the current/old password, which makes the application vulnerable to account takeover. An attacker can use this to forcefully set a new password within the -rsetpass+-aaction+- parameter for a user without knowing the old password, e.g. by exploiting a CSRF issue.

References (3)

[Mailing List] http://seclists.org/fulldisclosure/2024/Dec/2

[Various Sources] https://r.sec-consult.com/imageaccess

[Various Sources] https://www.imageaccess.de/?page=SupportPortal&lang=en

Scores

CVSS v3 8.4

EPSS 0.0007

EPSS Percentile 21.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-620

Status published

Products (1)

Image Access GmbH/Scan2Net < 7.40

Published Dec 12, 2024

Tracked Since Feb 18, 2026