An issue in Hangzhou Xiongwei Technology Development Co., Ltd. Restaurant Digital Comprehensive Management platform v1 allows an attacker to bypass authentication and perform arbitrary password resets.
The vulnerability (classified as CWE-620 — Unverified Password Change) lies in improper identity verification during the password change process. An attacker can remotely trigger a password reset procedure for any account without possessing any authentication credentials. The lack of proper validation of the requester's identity enables account takeover without knowledge of current passwords.
An attacker can take control of any account in the system, including administrative accounts, thereby gaining full access to the restaurant management platform. This can lead to data disclosure, modification of system configuration, and disruption of service continuity.
Patches available from the vendor should be applied in accordance with the references. As a temporary measure, it is recommended to restrict network access to the platform only to trusted IP addresses and to implement enhanced monitoring of password reset attempts.
Restaurant Digital Comprehensive Management platform by Hangzhou Xiongwei Technology Development Co., Ltd. in version v1.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H