← Retour aux CVEs
CVE-2026-24443
HIGH8.8
Description
EventSentry versions prior to 6.0.1.20 contain an unverified password change vulnerability in the account management functionality of the Web Reports interface. The password change mechanism does not require validation of the current password before allowing a new password to be set. An attacker who gains temporary access to an authenticated user session can change the account password without knowledge of the original credentials. This enables persistent account takeover and, if administrative accounts are affected, may result in privilege escalation.
Details CVE
Score CVSS v3.18.8
SeveriteHIGH
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisLOW
Interaction utilisateurNONE
Publie2/24/2026
Derniere modification2/26/2026
Sourcenvd
Observations honeypot0
Produits affectes
netikus:eventsentry
Faiblesses (CWE)
CWE-620
References
https://www.eventsentry.com/downloads/version-history(disclosure@vulncheck.com)
https://www.vulncheck.com/advisories/eventsentry-web-reports-unverified-password-change(disclosure@vulncheck.com)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.