Publish Date: July 12, 2019
SummaryWe've identified a vulnerability in Spiceworks account password reset mechanism. The “current password” field was lacking a rate limiter, allowing an attacker to possibly use brute force to change a victim’s password.
Who’s Affected?At this time, we do not believe anyone was affected by this vulnerability.
DetailsAn attacker, while logged in as the victim, could go to https://accounts.spiceworks.com and access the Reset Password utility. The attacker could then enter any value into the current password field and a new password. Upon submission, the payload could be intercepted, modified to include a list of passwords for the “current password” field, then re-submitted numerous times until the correct password is determined.
Mitigating FactorsIn order to exploit this vulnerability, an attacker...