CVE-2012-4902

Name of the Vulnerable Software and Affected Versions Template CMS versions 2.1.1 and earlier

Description The issue allows remote attackers to hijack the authentication of administrators for requests. This can be done in two ways: (1) by creating an administrator user via an "add" action to "admin/index.php" API endpoint, (2) by conducting static PHP code injection attacks via the themes editor parameter in an "edit template" action to "admin/index.php" API endpoint.

Recommendations For Template CMS versions 2.1.1 and earlier, as a temporary workaround, consider restricting access to the "admin/index.php" API endpoint to minimize the risk of exploitation. Avoid using the themes editor parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.