Softaculous Webuzo contains an authentication bypass vulnerability through the password reset functionality. Remote, anonymous attackers can exploit this vulnerability to gain full server access as the root user.
The vulnerability results from improper condition verification (CWE-697) during the password reset process handling. This mechanism does not properly verify the requester's identity, which allows an anonymous attacker to bypass standard authentication. As a result, an attacker can reset the password in an unauthorized manner and take control of the system.
An attacker gains full access to the server with root user privileges, which means the possibility of taking complete control of the system, reading and modifying data, and installing arbitrary software.
Apply patches available from the vendor according to the references. Technical details of the vulnerability and recommendations were published by Exodus Intel on July 25, 2024 at: https://blog.exodusintel.com/2024/07/25/softaculous-webuzo-authentication-bypass/
Softaculous Webuzo — versions indicated in the vendor's references
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HSoftaculous Webuzo
APPSoftaculous< 4.2.9
Related vulnerabilities
Softaculous Webuzo contains a command injection in the password reset functionality. A remote, authenticated a...
Softaculous Webuzo contains a command injection vulnerability in the FTP management functionality. A remote, a...
index.php in Softaculous Webuzo before 2.1.4 allows remote attackers to execute arbitrary commands via shell m...
The login function in Softaculous Webuzo before 2.1.4 provides different error messages for invalid authentica...
Cross-site scripting (XSS) vulnerability in filemanager/login.php in the File Manager module in Softaculous We...