You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Vulnerability Summary
Testers discovered a scenario in which it is possible to reenable the default admin account even if the password is changed.
Analysis of the Attack
The tester followed these steps to produce this issue:
o Set up the environment via the docker process
o Authenticate to the Portal
o Create a new Admin
o Log out of the default admin and log into the new Admin account o Change the password and delete the default admin account
o Log out of the application
o Try to log into the app with the default admin account -- note that this no longer works
because we changed the password (unlike WAPT-C-1)
o Log in with the new (non-default) admin account
o Demote the role to "Staff"
o Log out
o Try to log into the app with the default admin account -- note that this now reenables the
deleted admin account
The text was updated successfully, but these errors were encountered:
tostart-pickagreatname
changed the title
[Security] WAPT-C-2: Default Admin Account Can Reappear #2
[Security][Critical Risk] WAPT-C-2: Default Admin Account Can Reappear #2
Jun 19, 2020
Vulnerability Summary
Testers discovered a scenario in which it is possible to reenable the default admin account even if the password is changed.
Analysis of the Attack
The tester followed these steps to produce this issue:
o Set up the environment via the docker process
o Authenticate to the Portal
o Create a new Admin
o Log out of the default admin and log into the new Admin account o Change the password and delete the default admin account
o Log out of the application
o Try to log into the app with the default admin account -- note that this no longer works
because we changed the password (unlike WAPT-C-1)
o Log in with the new (non-default) admin account
o Demote the role to "Staff"
o Log out
o Try to log into the app with the default admin account -- note that this now reenables the
deleted admin account
The text was updated successfully, but these errors were encountered: