CVE-2024-28143

Summary

The password change function at /cgi/admin.cgi does not require the current/old password, which makes the application vulnerable to account takeover. An attacker can use this to forcefully set a new password within the -rsetpass+-aaction+- parameter for a user without knowing the old password, e.g. by exploiting a CSRF issue.

Affected Software

VendorProductVersion RangeStatus
Image Access GmbHScan2Net0 < 7.40affected

Weaknesses

  • CWE-620: CWE-620 Unverified Password Change

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References