Primary

Context

EventSentry Web Reports Unverified Password Change Vulnerability Allowing Account Takeover

Vulnerability

Patched

A vulnerability allowing unverified password changes has been identified in the EventSentry Web Reports interface, affecting versions prior to 6.0.1.20. The issue arises because the password change feature does not require validation of the current password before a new password can be set. This flaw enables an attacker with temporary access to an authenticated user session to change the account password, leading to persistent account takeover. If an administrative account is compromised, it could result in privilege escalation.

Impact

Exploitation of this vulnerability allows for unauthorized password changes, leading to account takeover. If an administrative account is compromised, it could result in privilege escalation.

Remediation

Users can upgrade to EventSentry version 6.0.1.20 or later to address this vulnerability.

Added: Feb 24, 2026, 9:18 PM

Updated: Feb 24, 2026, 9:54 PM

Vulnerability Rating

Custom Algorithm

spread

1.4

impact

5.0

exploitability

4.9

remediation

7.7

relevance

3.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.4

impact

5.0

exploitability

4.9

remediation

7.7

relevance

3.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

EventSentry Web Reports Unverified Password Change Vulnerability Allowing Account Takeover

Vulnerability

Impact

Remediation

Affected Products

EventSentry

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating