Vulnerability Description
ClickStudios Passwordstate Password Reset Portal prior to build 8501 is affected by an authentication bypass vulnerability. The ResetPassword function does not validate whether the user has successfully authenticated using security questions. An unauthenticated, remote attacker can send a crafted HTTP request to the /account/ResetPassword page to set a new password for any registered user.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Clickstudios | Passwordstate | < 8.5 |
Related Weaknesses (CWE)
References
- https://github.com/missing0x00/CVE-2020-26061ExploitThird Party Advisory
- https://www.clickstudios.com.au/passwordstate-changelog.aspxRelease NotesVendor Advisory
- https://github.com/missing0x00/CVE-2020-26061ExploitThird Party Advisory
- https://www.clickstudios.com.au/passwordstate-changelog.aspxRelease NotesVendor Advisory
FAQ
What is CVE-2020-26061?
CVE-2020-26061 is a vulnerability with a CVSS score of 7.5 (HIGH). ClickStudios Passwordstate Password Reset Portal prior to build 8501 is affected by an authentication bypass vulnerability. The ResetPassword function does not validate whether the user has successful...
How severe is CVE-2020-26061?
CVE-2020-26061 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-26061?
Check the references section above for vendor advisories and patch information. Affected products include: Clickstudios Passwordstate.