Brief Description:
A medium-severity issue concerning unverified email address change was identified in the Commerce B2B application which a malicious user with access to an admin console account to change the email address to something they control without verification of email change request.
Affected Versions:
All versions before 5.2.2605.
Solutions and Mitigations:
The application has been updated to require email verification on address change request prior to changing the account email in the system.
For Users that Cannot Upgrade:
If you are unable to upgrade, the following mitigations are suggested:
- Exploitation requires knowledge of the account credentials – ensure credentials are secured and not available publicly.
CVSS and Severity:
CVSS 6.4, Medium
CVE/CWE ID:
CWE-283
Article is closed for comments.