CVE-2026-24443

{"id": "CVE-2026-24443", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-24443", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "total"}], "version": "2.0.3", "timestamp": "2026-02-24T21:40:31.199548Z"}}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "affected": [{"source": "disclosure@vulncheck.com", "affectedData": [{"vendor": "NETIKUS.NET ltd", "product": "EventSentry", "versions": [{"status": "affected", "version": "0", "lessThan": "6.0.1.20", "versionType": "custom"}], "defaultStatus": "unaffected"}]}], "published": "2026-02-24T21:16:29.293", "references": [{"url": "https://www.eventsentry.com/downloads/version-history", "tags": ["Release Notes"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/eventsentry-web-reports-unverified-password-change", "tags": ["VDB Entry", "Vendor Advisory"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-620"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "EventSentry versions prior to 6.0.1.20\u00a0contain an unverified password change vulnerability in the account management functionality of the Web Reports interface. The password change mechanism does not require validation of the current password before allowing a new password to be set. An attacker who gains temporary access to an authenticated user session can change the account password without knowledge of the original credentials. This enables persistent account takeover and, if administrative accounts are affected, may result in privilege escalation."}, {"lang": "es", "value": "Las versiones de EventSentry anteriores a la 6.0.1.20 contienen una vulnerabilidad de cambio de contrase\u00f1a no verificado en la funcionalidad de gesti\u00f3n de cuentas de la interfaz de Informes Web. El mecanismo de cambio de contrase\u00f1a no requiere la validaci\u00f3n de la contrase\u00f1a actual antes de permitir que se establezca una nueva contrase\u00f1a. Un atacante que obtenga acceso temporal a una sesi\u00f3n de usuario autenticado puede cambiar la contrase\u00f1a de la cuenta sin conocer las credenciales originales. Esto permite la toma de control persistente de la cuenta y, si esto afecta a las cuentas de administrador, puede resultar en escalada de privilegios."}], "lastModified": "2026-06-17T10:23:05.067", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:netikus:eventsentry:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "658C31C0-7F16-4E68-92AA-B5FE24763167", "versionEndExcluding": "6.0.1.20"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}