Insecure Password Change Functionality in Serpico 1.3.0

Insecure Password Change Functionality in Serpico 1.3.0

CVE-2019-19857 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. An admin can change their password without providing the current password, by using interfaces outside the Change Password screen. Thus, requiring the admin to enter an Old Password value on the Change Password screen does not enhance security. This is problematic in conjunction with XSS.

Learn more about our Web Application Penetration Testing UK.