CVE-2020-26167

In FUEL CMS 11.4.12 and before, the page preview feature allows an anonymous user to take complete ownership of any account including an administrator one.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 85%
VendorProductVersion
thedaylightstudiofuel_cms
𝑥
≤ 1.4.12
𝑥
= Vulnerable software versions
References
https://cds.thalesgroup.com/en/tcs-cert/CVE-2020-26167
https://excellium-services.com/cert-xlm-advisory/cve-2020-26167/
https://github.com/daylightstudio/FUEL-CMS/
https://thedaylightstudio.com/
https://www.getfuelcms.com/
https://excellium-services.com/cert-xlm-advisory/cve-2020-26167/
https://github.com/daylightstudio/FUEL-CMS/
https://thedaylightstudio.com/
https://www.getfuelcms.com/