A vulnerability in the change password API of Cisco Connected Mobile Experiences (CMX) could allow an authenticated, remote attacker to alter their own password to a value that does not comply with the strong authentication requirements that are configured on an affected device. This vulnerability exists because a password policy check is incomplete at the time a password is changed at server side using the API. An attacker could exploit this vulnerability by sending a specially crafted API request to the affected device. A successful exploit could allow the attacker to change their own password to a value that does not comply with the configured strong authentication requirements.
The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Connected_mobile_experiences | Cisco | 10.6.0 (including) | 10.6.0 (including) |
| Connected_mobile_experiences | Cisco | 10.6.1 (including) | 10.6.1 (including) |
| Connected_mobile_experiences | Cisco | 10.6.2 (including) | 10.6.2 (including) |
| Connected_mobile_experiences | Cisco | 10.6.3 (including) | 10.6.3 (including) |
A product’s design should require adherance to an appropriate password policy. Specific password requirements depend strongly on contextual factors, but it is recommended to contain the following attributes:
Depending on the threat model, the password policy may include several additional attributes.
See NIST 800-63B [REF-1053] for further information on password requirements.