CVE-2020-26167

CVE-2020-26167

by colinelacatena

Abstract Advisory Information

An issue was discovered in fuelcms before version 11.4.13, where the page preview feature allows an anonymous user to take complete ownership of any account including an administrator one.

Authors: Dominique Righetto

Version affected

Name: fuelcms
Versions: 11.4.12 and before

Common Vulnerability Scoring System

9.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Patches

Already available

References

Vulnerability Disclosure Timeline

  • 20/09/2020: Vulnerability discovered
  • 29/09/2020: Daylight Studio is notified of the issue
  • 29/09/2020: Daylight Studio acknowledgment
  • 30/09/2020: Request CVE ID to Mitre
  • 30/09/2020: CVE ID Assigned by MITRE
  • 30/09/2020: Private disclosure
  • 04/11/2020: Public disclosure
Top