PT-2021-22588 · Yakamara Media · Redaxo Cms

Evildrummer

Published

2021-09-09

Updated

2022-07-12

CVE-2021-39458

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions: Yakamara Media Redaxo CMS version 5.12.1

Description: Triggering an error page of the import process in the CMS allows an authenticated user to alter the files of a valid file backup, leading to the leakage of database credentials in the environment variables.

Recommendations: For Yakamara Media Redaxo CMS version 5.12.1, consider restricting access to the import process to prevent authenticated users from triggering the error page and altering file backups until a fix is available. As a temporary workaround, restrict the ability of authenticated CMS users to access and modify backup files to minimize the risk of database credential leakage.

Exploit

Fix

Generation of Error Message Containing Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-209

Related Identifiers

CVE-2021-39458

Affected Products

Redaxo Cms

PT-2021-22588 · Yakamara Media · Redaxo Cms

CVE-2021-39458

Weakness Enumeration

Related Identifiers

Affected Products

References · 5