CVE-2019-15749

Account Takeover

Publish date

03 October 2019

Identifier

CVE-2019-15749

Manufacturer

SITOS

Product

SITOS Six Build v6.2.1

Authors

Dennis Herrmann and Andre Waldhoff

Description

SITOS Six Build v6.2.1 allows a user to change the password and their recovery email without requiring them to confirm the change with their old password. This would allow an attacker with access to the victims account, for example via XSS (see CVE-2019-15750 - Cross-Site-Scripting - Non-Persistent) to change the users password and recovery email.

 

CREST
CREST STAR
CHECK IT Health Check Service
CBEST
Cyber Essentials
CESG Certified Service
First - Improving Security Together
BSI ISO 9001 FS 581360
BSI ISO 27001 IS 553326
PCI - Approved Scanning Vendor
NCSC CCSC - Assured Service Provider