An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. An admin can change their password without providing the current password, by using interfaces outside the Change Password screen. Thus, requiring the admin to enter an Old Password value on the Change Password screen does not enhance security. This is problematic in conjunction with XSS.
Recent assessments:
busterb at January 16, 2020 12:01am UTC reported:
If Serpico is used to provide reports on pentesting results, this could be a problem for customers as there would be plenty of sensitive data that an attacker could use to leverage as a free pass into customer environments (assuming they had not been remediated).
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5