Helmholz and MB Connect Line: Account takeover via password reset in multiple products

An Authorization Bypass vulnerability was found in MB Connect Lines mbCONNECT24, mymbCONNECT24 and Helmholz' myREX24 and myREX24.virtual version <= 2.13.3. An authenticated remote user with low privileges can change the password of any user in the same account. This allows to take over the admin user and therefore fully compromise the account.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

通过用户控制密钥绕过授权机制

MB connect line mbCONNECT24和mymbCONNECT24 安全漏洞

MB connect line mbCONNECT24和MB connect line mymbCONNECT24都是德国MB connect line公司的产品。MB connect line mbCONNECT24是一套远程服务门户网站。该产品支持远程接入、数据记录和报警等功能。MB connect line mymbCONNECT24是一款适用于虚拟环境的内部远程维护解决方案。 MB connect line mbCONNECT24和mymbCONNECT24存在安全漏洞，该漏洞源于在用户登录后可以

N/A

N/A