gps-server.net GPS Tracking Software (self hosted) 2.x has a password reset procedure that immediately resets passwords upon an unauthentic…
gps-server.net GPS Tracking Software (self hosted) 2.x has a password reset procedure that immediately resets passwords upon an unauthenticated request, and then sends e-mail with a predictable (date-based) password to the admin, which makes it easier for remote attackers to obtain access by predicting this new password. This is related to the use of gmdate for password creation in fn_connect.php.
The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
https://cwe.mitre.org/data/definitions/640.html →Open in CWE collection →An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.
https://capec.mitre.org/data/definitions/50.html →Open in CAPEC collection →| Product | Vendor | Status |
|---|---|---|
| gps_tracking_software | * | Tracked |