CVE-2022-44004 An issue was discovered in BACKCLICK Professional 5.9.63
The attacker can also view the email address, first and last names, and the mobile phone number of the target by completing the password-reset process.
CVE-2018-17982 was discovered in the user registration system of the web-based management console. A SQL injection or cross-site scripting (XSS) vulnerability can be exploited by unauthenticated attackers to obtain sensitive information (e.g. database login credentials) by submitting a specially crafted request.
It was found that the management console does not enforce any form of HTTP login required for administrative activities. This means that an attacker can set up a login page that is hosted on a remote server and do not have to be in the same network as the management console.
CVE-2018-17983 was discovered in the user registration system. By sending a specially crafted request, an attacker can obtain the email address of another registered user.
CVE-2018-17984 was discovered in the user registration system. By sending a specially crafted request, an attacker can obtain the first name of another registered user.
CVE-2018-17985 was discovered in the user registration system. By sending a specially crafted request, an attacker can obtain the last name of another registered user.
CVE-2018-17986 was discovered in the user registration system. By sending a specially crafted request, an attacker can obtain the mobile phone number of another registered user.
Checklist: Steps to Take Before BCP-19 Implementation
- Review the checklist for BCP-19 implementation
- Plan for specific tasks related to BCP-19
- Conduct penetration testing with a third party
- Decide on a suitable deployment date
Timeline
Published on: 11/16/2022 23:15:00 UTC
Last modified on: 11/20/2022 13:50:00 UTC