CVE-2008-5221

critical

Description

The account_save action in admin/userinfo.php in wPortfolio 0.3 and earlier does not require authentication and does not require knowledge of the original password, which allows remote attackers to change the admin account password via modified password and password_retype parameters.

References

https://www.exploit-db.com/exploits/7170

https://exchange.xforce.ibmcloud.com/vulnerabilities/46772

http://www.vupen.com/english/advisories/2008/3219

http://securityreason.com/securityalert/4631

Details

Source: Mitre, NVD

Published: 2008-11-25

Updated: 2026-06-16

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.02166