CVE-2018-12596

Name of the Vulnerable Software and Affected Versions Episerver Ektron CMS versions prior to 9.0 SP3 Site CU 31 Episerver Ektron CMS versions 9.1 prior to SP3 Site CU 45 Episerver Ektron CMS versions 9.2 prior to SP2 Site CU 22

Description The issue allows remote attackers to call aspx pages via the "activateuser.aspx" page, even if a page is located under the /WorkArea/ path, which is normally available exclusively for local admins.

Recommendations For Episerver Ektron CMS versions prior to 9.0 SP3 Site CU 31, update to version 9.0 SP3 Site CU 31 or later. For Episerver Ektron CMS versions 9.1 prior to SP3 Site CU 45, update to version 9.1 SP3 Site CU 45 or later. For Episerver Ektron CMS versions 9.2 prior to SP2 Site CU 22, update to version 9.2 SP2 Site CU 22 or later.