Published: 2018/10/12  Last Updated: 2018/10/12

Information from Open Source Solution Technology Corporation

Vulnerability ID:JVN#49995005
Title:OpenAM (Open Source Edition) vulnerable to session management

This is a statement from the vendor itself with no modification by JPCERT/CC.

An improper session management vulnerability in user self-service

Affected Version: OpenAM 13
CVSS Severity Level: Medium

A vulnerability caused by improper session management exists in
OpenAM. Users who can log in to OpenAM can rewrite secret questions
of other users and then change their passwords.

This vulnerability is exploitable when secret questions in the
self-service functionality is enabled