PT-2009-4241 · Flyspeck · Flyspeck Cms
Ahmadbady
·
Published
2009-05-22
·
Updated
2017-09-29
·
CVE-2009-1771
CVSS v2.0
7.5
High
| Vector | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions:
Flyspeck CMS version 6.8
Description:
The issue allows remote attackers to create or modify admin accounts without requiring administrative authentication for the updateExistingContent action. This is achieved by manipulating specific parameters in the request, including
users[fullname], users[email], users[role id], users[username], and users[password].Recommendations:
For Flyspeck CMS version 6.8, ensure that administrative authentication is properly enforced for the updateExistingContent action to prevent unauthorized modifications to admin accounts. As a temporary workaround, consider restricting access to the updateExistingContent action until a proper fix is implemented.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Flyspeck Cms