← Back

CVE-2018-12596

nvd nist
Published: Oct 10, 2018Modified: Nov 21, 2024

JSON object

Loading...
9.8
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: NVD

Description

Episerver Ektron CMS before 9.0 SP3 Site CU 31, 9.1 before SP3 Site CU 45, or 9.2 before SP2 Site CU 22 allows remote attackers to call aspx pages via the "activateuser.aspx" page, even if a page is located under the /WorkArea/ path, which is forbidden (normally available exclusively for local admins).

Affected (8)

Episerver
1 product
Ektron Cms
Configuration A
8 vulnerable
Vulnerable SoftwareAffected Versions
Episerver
Ektron Cms
Version 9.00
Ektron Cms
Version 9.00 sp1
Ektron Cms
Version 9.00 sp2
Ektron Cms
Version 9.10
Ektron Cms
Version 9.10 sp1
Ektron Cms
Version 9.10 sp2
Ektron Cms
Version 9.20
Ektron Cms
Version 9.20 sp1

Related CWEs

CWE-269
Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References (8)

Source: cve@mitre.org
ExploitMailing ListMitigationPatchThird Party Advisory
Source: cve@mitre.org
ExploitPatchThird Party Advisory
Source: cve@mitre.org
Source: cve@mitre.org
ExploitMitigationPatchThird Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitMailing ListMitigationPatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitPatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitMitigationPatchThird Party AdvisoryVDB Entry

Timeline

No history available yet.