| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| moneo software installed on Microsoft Windows | 1.13 | |
| moneo software installed on QHA210 | 1.13 | |
| moneo software installed on QHA300 | 1.13 | |
| moneo software installed on QVA200 | 1.13 |
moneo "Forgot Password" function has a vulnerability which allows gaining privileged access.
An unauthenticated remote attacker can change the admin password in a moneo appliance due to weak password recovery mechanism.
In a moneo appliance with no mailserver configured, an unauthorized attacker can reset a password to the new user default value.
Mitigation
The correct configuration of a mail server prevents the exploitation of the vulnerability.
Remediation
Update to moneo version 1.13.5 or later.
CERT@VDE coordinated with ifm