CVE-2004-1263 | Vulnerability Database | Aqua Security

changepassword.cgi in ChangePassword 0.8, when installed setuid, allows local users to execute arbitrary code by modifying the PATH environment variable to point to a malicious make program.

Affected Software

Name	Vendor	Start Version	End Version
Changepassword	Changepassword	0.1 (including)	0.1 (including)
Changepassword	Changepassword	0.2 (including)	0.2 (including)
Changepassword	Changepassword	0.3 (including)	0.3 (including)
Changepassword	Changepassword	0.4 (including)	0.4 (including)
Changepassword	Changepassword	0.5 (including)	0.5 (including)
Changepassword	Changepassword	0.6 (including)	0.6 (including)
Changepassword	Changepassword	0.6.1 (including)	0.6.1 (including)
Changepassword	Changepassword	0.7 (including)	0.7 (including)
Changepassword	Changepassword	0.8 (including)	0.8 (including)

References

http://tigger.uic.edu/~jlongs2/holes/changepassword.txt
https://exchange.xforce.ibmcloud.com/vulnerabilities/18593
http://tigger.uic.edu/~jlongs2/holes/changepassword.txt
https://exchange.xforce.ibmcloud.com/vulnerabilities/18593

NVD	https://nvd.nist.gov/vuln/detail/CVE-2004-1263
CWE	https://cwe.mitre.org/data/definitions/NVD-Other.html