CVE-2013-4471

The Identity v3 API in OpenStack Dashboard (Horizon) before 2013.2 does not require the current password when changing passwords for user accounts, which makes it easier for remote attackers to change a user password by leveraging the authentication token for that user.

Published: May 14, 2014
Updated: Apr 13, 2023
CVE: CVE-2013-4471
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 5.5
AV:N/AC:L/Au:S/C:P/I:P/A:N

CWEs:

CWE-287

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
openstack / horizon	2013.1	2013.2

http://lists.openstack.org/pipermail/openstack/2013-November/003299.html
https://bugs.launchpad.net/horizon/+bug/1237989

Vulnerability Database

289,697

CVE-2013-4471