Suprema BioStar 2 Insecure Password Change Vulnerability

A vulnerability in Suprema's BioStar 2 access control management system, specifically in version 2.9.11.6, allows users to change their password without entering the current one. This client-side flaw can be exploited, particularly in conjunction with other vulnerabilities, to gain unauthorized access to user accounts and potentially compromise the system.

Impact

Exploitation of this vulnerability could lead to unauthorized account access, allowing an attacker to take over a user's account permanently.

Reproduction

To reproduce this vulnerability, send a request to the BioStar 2 API users endpoint, including a new password in the request body but omitting the current password. The server will accept the request and change the password successfully. After the password is changed, it can be used to log in to the account, indicating that the password change was successful.

Remediation

Contact Suprema for the patch available in version 2.9.11.