CVE-2022-0862

MEDIUM Year: 2022
CVSS v3 Score
5.3
Medium
CVSS v2 Score
4.3
Medium
Weakness Type
CWE-522
View all →

Vulnerability Description

A lack of password change protection vulnerability in a depreciated API of McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a remote attacker to change the password of a compromised session without knowing the existing user's password. This functionality was removed from the User Interface in ePO 10 and the API has now been disabled. Other protection is in place to reduce the likelihood of this being successful through sending a link to a logged in user.

Related Vulnerabilities

CVE-2017-8446

MEDIUM
CVSS:5.3(Medium)

The Reporting feature in X-Pack in versions prior to 5.5.2 and standalone Reporting plugin versions versions prior to 2.4.6 had an impersonation vulnerability. A user with the reporting_user role coul...

CWE-5222017

CVE-2018-21237

MEDIUM
CVSS:5.3(Medium)

An issue was discovered in Foxit PhantomPDF before 8.3.7. It allows NTLM credential theft via a GoToE or GoToR action.

CWE-5222018

CVE-2018-21239

MEDIUM
CVSS:5.3(Medium)

An issue was discovered in Foxit Reader and PhantomPDF before 9.2. It allows NTLM credential theft via a GoToE or GoToR action.

CWE-5222018

CVE-2019-10378

MEDIUM
CVSS:5.3(Medium)

Jenkins TestLink Plugin 3.16 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

CWE-5222019

CVE-2019-4697

MEDIUM
CVSS:5.3(Medium)

IBM Security Guardium Data Encryption (GDE) 3.0.0.2 stores user credentials in plain in clear text which can be read by an authenticated user. IBM X-Force ID: 171938.

CWE-5222019

CVE-2020-11821

MEDIUM
CVSS:5.3(Medium)

In Rukovoditel 2.5.2, users' passwords and usernames are stored in a cookie with URL encoding, base64 encoding, and hashing. Thus, an attacker can easily apply brute force on them.

CWE-5222020