Eventsentry
CVE-2026-24443
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
EventSentry versions prior to 6.0.1.20 contain an unverified password change vulnerability in the account management functionality of the Web Reports interface. The password change mechanism does not require validation of the current password before allowing a new password to be set. An attacker who gains temporary access to an authenticated user session can change the account password without knowledge of the original credentials. This enables persistent account takeover and, if administrative accounts are affected, may result in privilege escalation.
AnalysisAI
Eventsentry versions up to 6.0.1.20 contains a vulnerability that allows attackers to privilege escalation (CVSS 8.8).
Technical ContextAI
exists in the account management component. EventSentry versions prior to 6.0.1.20 contain an unverified password change vulnerability in the account management functionality of the Web Reports interface. The password change mechanism does not require validation of the current password before allowing a new password to be set. An attacker who gains temporary access to an authenticated user session can change the account password without knowledge of the original credentials. This enables persistent account takeover and, if administrative
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
More in Eventsentry
View allCross-site scripting (XSS) vulnerability in the Web Reports in EventSentry 3.1.0 allows remote attackers to inject arbit
Netikus EventSentry before 3.2.1.44 has XSS via SNMP. Rated medium severity (CVSS 6.1), this vulnerability is remotely e
Same weakness CWE-620 – Unverified Password Change
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today