Description: Force password change without knowing current password.
Versions Affected: < 9.1.2
Researcher: Dwight Hohnstein (https://twitter.com/djhohnstein)
Disclosure Link: https://rhinosecuritylabs.com/research/remote-code-execution-bug-hunting-chapter-1/
NIST CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2017-7284
URL: https://url/api/users/#/?sid=#
The above URL is vulnerable to forceable password changes. You can change the logged in user's password without knowing the current password. This is done by passing the JSON parameter "force" with your request, as seen in the api/includes/users.php file.
python CVE-2017-7284.py -a AUTHSTRING -u TARGET -P PASSWORD_TO_SET