WebLeague 2.2.0 (install.php)Remote Change Password

vendor:

WebLeague

by:

TiGeR-Dz

6,4

CVSS

MEDIUM

Remote Change Password

287

CWE

Product Name: WebLeague

Affected Version From: 2.2.0

Affected Version To: 2.2.0

Patch Exists: NO

Related CWE: N/A

CPE: a:webleague:webleague:2.2.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2009

WebLeague 2.2.0 (install.php)Remote Change Password

A vulnerability exists in WebLeague 2.2.0 which allows an attacker to remotely change the password of an account. The vulnerability is due to the lack of authentication when accessing the install.php file. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the install.php file. This will allow the attacker to change the password of an account without authentication.

Mitigation:

To mitigate this vulnerability, authentication should be enforced when accessing the install.php file.

Source

Exploit-DB raw data:

                     ###################################
                     #            TiGeR-Dz             #
#################################################################################
# WebLeague 2.2.0 (install.php)Remote Change Password                           #
#  By: TiGeR-Dz                                                                 #
#  POC :http://www.victim.com/path/install.php                                  #
#   Put Name and password :                                                     #
#  Dork:"powered by: WebLeague"                                                 #
#################################################################################
                     #            TiGeR-Dz             #
                     ###################################

# milw0rm.com [2009-07-16]