CVE-2024-28143

CVE-2024-28143: Insecure Password Change Function

Vendor Image Access Gmbh
Product Scan2Net
Weakness CWE-620 · Unverified password change
Published December 12, 2024
Last update November 3, 2025

CVSS base score

What the vulnerability does

01Description

The password change function at /cgi/admin.cgi does not require the current/old password, which makes the application vulnerable to account takeover. An attacker can use this to forcefully set a new password within the -rsetpass+-aaction+- parameter for a user without knowing the old password, e.g. by exploiting a CSRF issue.

Key dates

02Disclosure timeline

December 12, 2024 CVE published
November 3, 2025 Record updated