CVE-2020-26167

EUVD-2020-18792
In FUEL CMS 11.4.12 and before, the page preview feature allows an anonymous user to take complete ownership of any account including an administrator one.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 86%
Affected Products (NVD)
VendorProductVersion
thedaylightstudiofuel_cms
𝑥
≤ 1.4.12
𝑥
= Vulnerable software versions
References
https://cds.thalesgroup.com/en/tcs-cert/CVE-2020-26167
https://excellium-services.com/cert-xlm-advisory/cve-2020-26167/
https://github.com/daylightstudio/FUEL-CMS/
https://thedaylightstudio.com/
https://www.getfuelcms.com/
https://excellium-services.com/cert-xlm-advisory/cve-2020-26167/
https://github.com/daylightstudio/FUEL-CMS/
https://thedaylightstudio.com/
https://www.getfuelcms.com/