CVE-2014-2849
high
CVSS v3
—
CVSS v2
8.5
VIR risk
8.5
Description
The Change Password dialog box (change_password) in Sophos Web Appliance before 3.8.2 allows remote authenticated users to change the admin user password via a crafted request.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cve@mitre.org — http://www.sophos.com/en-us/support/knowledgebase/120230.aspx
Vendor advisory: cve@mitre.org — http://secunia.com/advisories/57706
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| sophos | web_appliance_firmware | 3.7.8 | |
References
- http://secunia.com/advisories/57706
- http://www.exploit-db.com/exploits/32789
- http://www.securityfocus.com/bid/66734
- http://www.sophos.com/en-us/support/knowledgebase/120230.aspx
- http://www.zerodayinitiative.com/advisories/ZDI-14-069/
- http://secunia.com/advisories/57706
- http://www.exploit-db.com/exploits/32789
- http://www.securityfocus.com/bid/66734
- http://www.sophos.com/en-us/support/knowledgebase/120230.aspx
- http://www.zerodayinitiative.com/advisories/ZDI-14-069/
CWEs
CWE-264
Verify integrity in audit chain (admin only). AS-IS.