A vulnerability in the change password API of Cisco Connected Mobile Experiences (CMX) could allow an authenticated, remote attacker to alter their own password to a value that does not comply with the strong authentication requirements that are configured on an affected device. This vulnerability exists because a password policy check is incomplete at the time a password is changed at server side using the API. An attacker could exploit this vulnerability by sending a specially crafted API request to the affected device. A successful exploit could allow the attacker to change their own password to a value that does not comply with the configured strong authentication requirements.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Connected_mobile_experiences | Cisco | 10.6.0 (including) | 10.6.0 (including) |
| Connected_mobile_experiences | Cisco | 10.6.1 (including) | 10.6.1 (including) |
| Connected_mobile_experiences | Cisco | 10.6.2 (including) | 10.6.2 (including) |
| Connected_mobile_experiences | Cisco | 10.6.3 (including) | 10.6.3 (including) |