Monthly
Unverified password change in Devolutions Server allows an attacker to change a user's password without providing the previous one via a crafted password change request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
OpenC3 COSMOS password change functionality accepts valid session tokens in lieu of current passwords, enabling attackers with hijacked tokens to lock out legitimate users and maintain persistent access to compromised accounts including administrator accounts. Publicly available exploit code demonstrates the attack chain. All versions prior to 6.10.5 and 7.0.0-rc1 through 7.0.0-rc2 are affected. The vendor has released patched versions 6.10.5 and 7.0.0-rc3 that enforce password-only verification during password change operations.
Account takeover in blueprintUE Self-Hosted Edition <4.2.0 allows authenticated attackers to permanently hijack any account by changing its password without current password verification. Attackers who obtain session access through XSS, session hijacking, physical access, or stolen cookies can immediately lock out legitimate users. The vulnerability requires low-privileged authentication (PR:L) but has high confidentiality and integrity impact, enabling full account control and data access. Fixed in version 4.2.0.
Daylight Studio FuelCMS v1.5.2 allows remote attackers to exfiltrate password reset tokens through a mail splitting attack, enabling account takeover without authentication. The vulnerability exploits improper handling of email headers during the password reset workflow, permitting attackers to intercept or redirect sensitive reset tokens to attacker-controlled addresses. No public exploit code or active exploitation has been independently confirmed at time of analysis.
Sl902-Swtgw124As Firmware versions up to 200.1.20 contains a vulnerability that allows attackers to change account passwords without verifying the current password (CVSS 7.1).
Eventsentry versions up to 6.0.1.20 contains a vulnerability that allows attackers to privilege escalation (CVSS 8.8).
A vulnerability was identified in vichan-devel vichan versions up to 5.1.5. contains a security vulnerability (CVSS 2.7).
Unauthenticated password modification in Tenda W30E V2 firmware through the maintenance interface allows authenticated users to reset account credentials without password verification, potentially enabling privilege escalation or account takeover on affected devices. The vulnerability affects firmware versions up to V16.01.0.19(5037) and currently lacks an available patch.
A low-privileged user can bypass account credentials without confirming the user's current authentication state, which may lead to unauthorized privilege escalation.
Unverified Password Change vulnerability in Progress MOVEit Transfer on Windows (REST API modules).This issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.3, from 2023.0.0 before 2023.0.8, from 2022.1.0 before 2022.1.11, from 2022.0.0 before 2022.0.10. [CVSS 3.7 LOW]
Unverified password change in Devolutions Server allows an attacker to change a user's password without providing the previous one via a crafted password change request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
OpenC3 COSMOS password change functionality accepts valid session tokens in lieu of current passwords, enabling attackers with hijacked tokens to lock out legitimate users and maintain persistent access to compromised accounts including administrator accounts. Publicly available exploit code demonstrates the attack chain. All versions prior to 6.10.5 and 7.0.0-rc1 through 7.0.0-rc2 are affected. The vendor has released patched versions 6.10.5 and 7.0.0-rc3 that enforce password-only verification during password change operations.
Account takeover in blueprintUE Self-Hosted Edition <4.2.0 allows authenticated attackers to permanently hijack any account by changing its password without current password verification. Attackers who obtain session access through XSS, session hijacking, physical access, or stolen cookies can immediately lock out legitimate users. The vulnerability requires low-privileged authentication (PR:L) but has high confidentiality and integrity impact, enabling full account control and data access. Fixed in version 4.2.0.
Daylight Studio FuelCMS v1.5.2 allows remote attackers to exfiltrate password reset tokens through a mail splitting attack, enabling account takeover without authentication. The vulnerability exploits improper handling of email headers during the password reset workflow, permitting attackers to intercept or redirect sensitive reset tokens to attacker-controlled addresses. No public exploit code or active exploitation has been independently confirmed at time of analysis.
Sl902-Swtgw124As Firmware versions up to 200.1.20 contains a vulnerability that allows attackers to change account passwords without verifying the current password (CVSS 7.1).
Eventsentry versions up to 6.0.1.20 contains a vulnerability that allows attackers to privilege escalation (CVSS 8.8).
A vulnerability was identified in vichan-devel vichan versions up to 5.1.5. contains a security vulnerability (CVSS 2.7).
Unauthenticated password modification in Tenda W30E V2 firmware through the maintenance interface allows authenticated users to reset account credentials without password verification, potentially enabling privilege escalation or account takeover on affected devices. The vulnerability affects firmware versions up to V16.01.0.19(5037) and currently lacks an available patch.
A low-privileged user can bypass account credentials without confirming the user's current authentication state, which may lead to unauthorized privilege escalation.
Unverified Password Change vulnerability in Progress MOVEit Transfer on Windows (REST API modules).This issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.3, from 2023.0.0 before 2023.0.8, from 2022.1.0 before 2022.1.11, from 2022.0.0 before 2022.0.10. [CVSS 3.7 LOW]