CVE-2009-5076

Name of the Vulnerable Software and Affected Versions CRE Loaded versions prior to 6.3.x CRE Loaded version 6.2.14 and earlier

Description The issue allows remote attackers to bypass authentication and gain administrator privileges. This is achieved by sending a request with specific PHP files, such as login.php or password forgotten.php, appended as the PATH INFO, which bypasses a check using PHP SELF. The vulnerability is due to improper handling in includes/application top.php and admin/includes/application top.php. It has been exploited in the wild.

Recommendations For CRE Loaded versions prior to 6.3.x, update to version 6.3.x or later. For CRE Loaded version 6.2.14 and earlier, update to version 6.2.14 or later. As a temporary workaround, consider restricting access to login.php and password forgotten.php to minimize the risk of exploitation.