8.8
CVE-2026-24443
- EPSS 0.46%
- Veröffentlicht 24.02.2026 20:14:44
- Zuletzt bearbeitet 26.02.2026 03:00:27
- Quelle disclosure@vulncheck.com
- CVE-Watchlists
- Unerledigt
EventSentry < 6.0.1.20 Web Reports Unverified Password Change
EventSentry versions prior to 6.0.1.20 contain an unverified password change vulnerability in the account management functionality of the Web Reports interface. The password change mechanism does not require validation of the current password before allowing a new password to be set. An attacker who gains temporary access to an authenticated user session can change the account password without knowledge of the original credentials. This enables persistent account takeover and, if administrative accounts are affected, may result in privilege escalation.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Netikus ≫ Eventsentry Version < 6.0.1.20
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.46% | 0.365 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| disclosure@vulncheck.com | 8.6 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-620 Unverified Password Change
When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.
https://www.eventsentry.com/downloads/version-history
https://www.vulncheck.com/advisories/eventsentry-web-reports-unverified-password-change