Описание
Episerver Ektron CMS before 9.0 SP3 Site CU 31, 9.1 before SP3 Site CU 45, or 9.2 before SP2 Site CU 22 allows remote attackers to call aspx pages via the "activateuser.aspx" page, even if a page is located under the /WorkArea/ path, which is forbidden (normally available exclusively for local admins).
Ссылки
- ExploitMailing ListMitigationPatchThird Party Advisory
- ExploitPatchThird Party Advisory
- ExploitMitigationPatchThird Party AdvisoryVDB Entry
- ExploitMailing ListMitigationPatchThird Party Advisory
- ExploitPatchThird Party Advisory
- ExploitMitigationPatchThird Party AdvisoryVDB Entry
Уязвимые конфигурации
Конфигурация 1
Одно из
cpe:2.3:a:episerver:ektron_cms:9.00:-:*:*:*:*:*:*
cpe:2.3:a:episerver:ektron_cms:9.00:sp1:*:*:*:*:*:*
cpe:2.3:a:episerver:ektron_cms:9.00:sp2:*:*:*:*:*:*
cpe:2.3:a:episerver:ektron_cms:9.10:-:*:*:*:*:*:*
cpe:2.3:a:episerver:ektron_cms:9.10:sp1:*:*:*:*:*:*
cpe:2.3:a:episerver:ektron_cms:9.10:sp2:*:*:*:*:*:*
cpe:2.3:a:episerver:ektron_cms:9.20:-:*:*:*:*:*:*
cpe:2.3:a:episerver:ektron_cms:9.20:sp1:*:*:*:*:*:*
EPSS
Процентиль: 98%
0.47919
Средний
9.8 Critical
CVSS3
7.5 High
CVSS2
Дефекты
CWE-269
Связанные уязвимости
CVSS3: 9.8
github
больше 3 лет назад
Episerver Ektron CMS before 9.0 SP3 Site CU 31, 9.1 before SP3 Site CU 45, or 9.2 before SP2 Site CU 22 allows remote attackers to call aspx pages via the "activateuser.aspx" page, even if a page is located under the /WorkArea/ path, which is forbidden (normally available exclusively for local admins).
EPSS
Процентиль: 98%
0.47919
Средний
9.8 Critical
CVSS3
7.5 High
CVSS2
Дефекты
CWE-269