CVE-2012-1901

Name of the Vulnerable Software and Affected Versions FlexCMS versions 3.2.1 and earlier

Description The issue allows remote attackers to hijack user authentication for requests that change account settings via a request to "index.php/profile-edit-save" or hijack administrator authentication for requests that add a new page via a request to "admin/pages-new-save".

Recommendations For FlexCMS versions 3.2.1 and earlier, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to the "index.php/profile-edit-save" and "admin/pages-new-save" API endpoints until a patch is available. Avoid using these endpoints in a way that could allow unauthorized changes to account settings or addition of new pages.