2007-12-28 00:00:00
mitre
PUBLISHED
RunCMS before 1.6.1 does not require entry of the old password during a password change, which allows context-dependent attackers to change passwords upon obtaining temporary access to a session.