03 October 2019
SITOS Six Build v6.2.1
Dennis Herrmann and Andre Waldhoff
SITOS Six Build v6.2.1 allows a user to change the password and their recovery email without requiring them to confirm the change with their old password. This would allow an attacker with access to the victims account, for example via XSS (see CVE-2019-15750 - Cross-Site-Scripting - Non-Persistent) to change the users password and recovery email.