CVE-2022-44004

Vulnerability

BACKCLICK Professional version 5.9.63 (On-Premises) exposes a Direct Web Remoting (DWR) function sendPasswordReminder without authentication [1]. This function accepts a target user ID (param0) and an arbitrary email address (param1) to trigger a password reset [1]. The application changes the user's password to a new value and sends it to the specified email, effectively allowing an unauthenticated attacker to reset any known user's password [1].

Exploitation

An attacker with network access to the management web interface can call the sendPasswordReminder DWR function without any authentication [1]. The attacker provides the target user's ID and an email address under their control [1]. The application then changes the password and emails the new password to the attacker-controlled address [1]. The attacker can then log in to the affected user's account [1].

Impact

Successful exploitation allows an attacker to gain full access to any user's account, potentially including administrative privileges [1]. This enables the attacker to perform all actions available to that account within the BACKCLICK application, such as viewing or modifying email campaigns and subscriber data [1]. The vulnerability also allows an attacker to lock out legitimate users by changing their passwords [1].

Mitigation

As of the publication date (2022-11-16), the vendor has not released a fixed version [1][2]. SySS GmbH disclosed the issue to the manufacturer on 2022-05-25, but no solution status is known [1]. Workarounds are not described in the available references. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the disclosure date.