The account_save action in admin/userinfo.php in wPortfolio 0.3 and earlier does not require authentication and does not require knowledge of the original password, which allows remote attackers to change the admin account password via modified password and password_retype parameters.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2008-11-25T18:09:00

Updated: 2024-08-07T10:49:11.835Z

Reserved: 2008-11-25T00:00:00

Link: CVE-2008-5221

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2008-11-25T18:30:00.500

Modified: 2024-11-21T00:53:35.470

Link: CVE-2008-5221

cve-icon Redhat

No data.