PT-2021-3961 · Fuel Cms · Fuel Cms

Bunneyops

Published

2021-08-09

Updated

2021-08-17

CVE-2021-38290

CVSS v2.0

9.3

High

Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions FUEL CMS versions 1.5.0

Description A host header attack issue exists due to the lack of special element neutralization in fuel/modules/fuel/config/fuel constants.php and fuel/modules/fuel/libraries/Asset.php. This can allow a remote attacker to impact the confidentiality, integrity, and availability of protected information. An attacker can use a man-in-the-middle attack, such as phishing.

Recommendations For FUEL CMS version 1.5.0, consider disabling access to the fuel/modules/fuel/config/fuel constants.php and fuel/modules/fuel/libraries/Asset.php files until a patch is available. Restrict access to these modules to minimize the risk of exploitation. Avoid using the fuel/modules/fuel/config/fuel constants.php and fuel/modules/fuel/libraries/Asset.php files in sensitive operations until the issue is resolved.

Exploit

Fix

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74

Related Identifiers

BDU:2021-04480

CVE-2021-38290

Affected Products

Fuel Cms

PT-2021-3961 · Fuel Cms · Fuel Cms

CVE-2021-38290

Weakness Enumeration

Related Identifiers

Affected Products

References · 7