CVE-2004-1263

changepassword.cgi in ChangePassword 0.8, when installed setuid, allows local users to execute arbitrary code by modifying the PATH environment variable to point to a malicious "make" program.

Published: Jan 10, 2005
Updated: Apr 13, 2023
CVE: CVE-2004-1263
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 7.2
AV:L/AC:L/Au:N/C:C/I:C/A:C

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
changepassword / changepassword	0.2	0.2.x
changepassword / changepassword	0.4	0.4.x
changepassword / changepassword	0.1	0.1.x
changepassword / changepassword	0.8	0.8.x
changepassword / changepassword	0.6.1	0.6.1.x
changepassword / changepassword	0.5	0.5.x
changepassword / changepassword	0.7	0.7.x
changepassword / changepassword	0.6	0.6.x
changepassword / changepassword	0.3	0.3.x

http://tigger.uic.edu/~jlongs2/holes/changepassword.txt
https://exchange.xforce.ibmcloud.com/vulnerabilities/18593

Vulnerability Database

290,206

CVE-2004-1263