← Back
2026-02-24 20:14CVE-2026-24443VulnCheck
PUBLISHED5.2CWE-620

EventSentry < 6.0.1.20 Web Reports Unverified Password Change

EventSentry versions prior to 6.0.1.20 contain an unverified password change vulnerability in the account management functionality of the Web Reports interface. The password change mechanism does not require validation of the current password before allowing a new password to be set. An attacker who gains temporary access to an authenticated user session can change the account password without knowledge of the original credentials. This enables persistent account takeover and, if administrative accounts are affected, may result in privilege escalation.

Problem type

Affected products

NETIKUS.NET ltd

EventSentry

< 6.0.1.20 - AFFECTED

References

eventsentry.com

https://www.eventsentry.com/downloads/version-history

release-notespatch
vulncheck.com

https://www.vulncheck.com/advisories/eventsentry-web-reports-unverified-password-change

third-party-advisory

GitHub Security Advisories

GHSA-8c83-cvgq-pp7w

EventSentry versions prior to 6.0.1.20 contain an unverified password change vulnerability in the...

https://github.com/advisories/GHSA-8c83-cvgq-pp7w

EventSentry versions prior to 6.0.1.20 contain an unverified password change vulnerability in the account management functionality of the Web Reports interface. The password change mechanism does not require validation of the current password before allowing a new password to be set. An attacker who gains temporary access to an authenticated user session can change the account password without knowledge of the original credentials. This enables persistent account takeover and, if administrative accounts are affected, may result in privilege escalation.

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2026-24443

eventsentry.com

https://www.eventsentry.com/downloads/version-history

vulncheck.com

https://www.vulncheck.com/advisories/eventsentry-web-reports-unverified-password-change

github.com

https://github.com/advisories/GHSA-8c83-cvgq-pp7w

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-24443
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-24443",
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "dateUpdated": "2026-02-24T21:40:48.632Z",
    "dateReserved": "2026-01-22T20:23:19.804Z",
    "datePublished": "2026-02-24T20:14:44.688Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck",
        "dateUpdated": "2026-02-24T20:14:44.688Z"
      },
      "title": "EventSentry < 6.0.1.20 Web Reports Unverified Password Change",
      "descriptions": [
        {
          "lang": "en",
          "value": "EventSentry versions prior to 6.0.1.20 contain an unverified password change vulnerability in the account management functionality of the Web Reports interface. The password change mechanism does not require validation of the current password before allowing a new password to be set. An attacker who gains temporary access to an authenticated user session can change the account password without knowledge of the original credentials. This enables persistent account takeover and, if administrative accounts are affected, may result in privilege escalation.",
          "supportingMedia": [
            {
              "type": "text/html",
              "base64": false,
              "value": "EventSentry versions prior to 6.0.1.20&nbsp;contain an unverified password change vulnerability in the account management functionality of the Web Reports interface. The password change mechanism does not require validation of the current password before allowing a new password to be set. An attacker who gains temporary access to an authenticated user session can change the account password without knowledge of the original credentials. This enables persistent account takeover and, if administrative accounts are affected, may result in privilege escalation."
            }
          ]
        }
      ],
      "affected": [
        {
          "vendor": "NETIKUS.NET ltd",
          "product": "EventSentry",
          "defaultStatus": "unaffected",
          "versions": [
            {
              "version": "0",
              "status": "affected",
              "versionType": "semver",
              "lessThan": "6.0.1.20"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-620 Unverified Password Change",
              "cweId": "CWE-620",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://www.eventsentry.com/downloads/version-history",
          "tags": [
            "release-notes",
            "patch"
          ]
        },
        {
          "url": "https://www.vulncheck.com/advisories/eventsentry-web-reports-unverified-password-change",
          "tags": [
            "third-party-advisory"
          ]
        }
      ],
      "metrics": [
        {
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc.",
          "type": "finder"
        },
        {
          "lang": "en",
          "value": "VulnCheck",
          "type": "coordinator"
        }
      ]
    },
    "adp": [
      {
        "providerMetadata": {
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP",
          "dateUpdated": "2026-02-24T21:40:48.632Z"
        },
        "title": "CISA ADP Vulnrichment",
        "metrics": [
          {}
        ]
      }
    ]
  }
}