CVE-2020-26167 | Cyber Solutions By Thales

Abstract Advisory Information

An issue was discovered in fuelcms before version 11.4.13, where the page preview feature allows an anonymous user to take complete ownership of any account including an administrator one.

Author: Dominique Righetto

Version affected

Name: fuelcms

Versions: 11.4.12 and before

Common Vulnerability Scoring System

9.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Patches

Already available

References

https://github.com/daylightstudio/FUEL-CMS
https://www.getfuelcms.com/

Vulnerability Disclosure Timeline

20/09/2020: Vulnerability discovered
29/09/2020: Daylight Studio is notified of the issue
29/09/2020: Daylight Studio acknowledgment
30/09/2020: Request CVE ID to Mitre
30/09/2020: CVE ID Assigned by MITRE
30/09/2020: Private disclosure
04/11/2020: Public disclosure